PatchSiren cyber security CVE debrief

CVE-2017-3292 Oracle CVE debrief

CVE-2017-3292 affects Oracle PeopleSoft Enterprise PeopleTools, specifically the Integration Broker subcomponent, in supported versions 8.54 and 8.55. The NVD record describes a network-reachable issue that is easily exploitable by a low-privileged attacker over HTTP, but it also requires human interaction from someone other than the attacker. The main impact is confidentiality: successful exploitation can expose critical data or all PeopleSoft Enterprise PeopleTools accessible data. The vulnerability is associated with CWE-200 and a CVSS v3.0 base score of 5.7 (Medium).

Vendor: Oracle
Product: CVE-2017-3292
CVSS: MEDIUM 5.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle PeopleSoft administrators, application security teams, and operations teams responsible for PeopleSoft Enterprise PeopleTools deployments—especially any environment exposing Integration Broker functionality over HTTP.

Technical summary

The NVD record lists CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N and maps the weakness to CWE-200. That means the issue is reachable over the network, does not require high complexity, and can be triggered by a low-privileged actor, but it does depend on user interaction. The documented impact is confidentiality-only, with no integrity or availability impact in the CVSS vector. Affected CPEs in the record are Oracle PeopleSoft Enterprise PeopleTools 8.54 and 8.55.

Defensive priority

Medium. Prioritize remediation for any exposed PeopleSoft deployments, because the issue is network-reachable and can expose sensitive data, even though it requires user interaction and does not indicate integrity or availability impact.

Recommended defensive actions

Confirm whether Oracle PeopleSoft Enterprise PeopleTools 8.54 or 8.55 is deployed in your environment.
Review Oracle's January 2017 CPU advisory referenced in the NVD record and apply the vendor patch or remediation guidance.
Restrict or monitor HTTP exposure to PeopleSoft Integration Broker endpoints where feasible.
Audit authentication, session handling, and user-interaction workflows around Integration Broker for unexpected access patterns.
Search for signs of unauthorized data exposure in affected PeopleSoft environments.
Use the NVD and CVE records as the authoritative starting point for internal remediation tracking.

Evidence notes

All substantive claims are supported by the supplied NVD record: affected versions 8.54 and 8.55; subcomponent Integration Broker; network access via HTTP; low-privilege attacker; required human interaction; confidentiality impact; CVSS v3.0 5.7; and CWE-200. Oracle's January 2017 CPU advisory is referenced in the NVD record, but its contents were not independently expanded beyond the supplied reference metadata.

Official resources

CVE-2017-3292 CVE record
CVE.org
CVE-2017-3292 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

The CVE record was published on 2017-01-27T22:59:03.943Z and the NVD record was last modified on 2026-05-13T00:24:29.033Z. The vulnerability date should be treated as the published CVE date, not the later modification timestamp.