PatchSiren cyber security CVE debrief
CVE-2017-3296 Oracle CVE debrief
CVE-2017-3296 is a medium-severity Oracle Commerce Platform issue in the Dynamo Application Framework component. NVD describes it as an easily exploitable vulnerability reachable over HTTP by an unauthenticated attacker, but successful exploitation requires user interaction from someone other than the attacker. The documented impact is limited to unauthorized read access to a subset of Oracle Commerce Platform accessible data.
- Vendor
- Oracle
- Product
- CVE-2017-3296
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Organizations running Oracle Commerce Platform versions 10.0.3.5, 10.2.0.5, or 11.2.0.2 should review this issue, especially teams responsible for internet-facing deployments, application security, and patch management.
Technical summary
NVD lists the issue with CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating a network-reachable flaw with no privileges required, but with required user interaction and confidentiality impact only. The affected CPE entries identify Oracle Commerce Platform 10.0.3.5, 10.2.0.5, and 11.2.0.2. The primary weakness classification is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
Defensive priority
Medium. The issue is network-accessible and unauthenticated, but it requires user interaction and the documented impact is limited to information disclosure. Prioritize remediation for any exposed Oracle Commerce Platform instance, but it is not described as a code-execution or availability-impacting flaw.
Recommended defensive actions
- Check whether Oracle Commerce Platform 10.0.3.5, 10.2.0.5, or 11.2.0.2 is deployed in your environment.
- Review Oracle's January 2017 Critical Patch Update advisory referenced by NVD and apply the vendor-recommended remediation for the affected product line.
- Reduce exposure of Oracle Commerce Platform endpoints to trusted networks where possible, since the issue is reachable via HTTP.
- Audit application flows that depend on user interaction to understand whether this condition can be triggered in your deployment.
- Review access to data exposed through Oracle Commerce Platform and monitor for unexpected reads or anomalous application activity.
Evidence notes
This debrief is based on the official CVE/NVD record and the Oracle vendor advisory linked by NVD. The CVE was published on 2017-01-27 and last modified on 2026-05-13. NVD lists the affected versions as 10.0.3.5, 10.2.0.5, and 11.2.0.2, and gives the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N with CWE-200.
Official resources
-
CVE-2017-3296 CVE record
CVE.org
-
CVE-2017-3296 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
CVE published: 2017-01-27T22:59:04.070Z. CVE last modified: 2026-05-13T00:24:29.033Z. The dates reflect the official CVE/NVD record timeline, not PatchSiren publication time.