PatchSiren cyber security CVE debrief

CVE-2017-3297 Oracle CVE debrief

CVE-2017-3297 is a medium-severity Oracle FLEXCUBE Direct Banking vulnerability affecting the Framework subcomponent in supported versions 12.0.2 and 12.0.3. According to Oracle and NVD, a low-privileged attacker with network access via HTTP may be able to compromise the application and gain unauthorized access to critical data or all accessible data. NVD rates the issue CVSS 3.0 5.3 with confidentiality impact only, and the CVE was published on 2017-01-27.

Vendor: Oracle
Product: CVE-2017-3297
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle FLEXCUBE Direct Banking administrators, application owners, banking IT security teams, and any environment still running affected 12.0.2 or 12.0.3 deployments should prioritize review.

Technical summary

The NVD record classifies the vulnerability as network-reachable over HTTP with low privileges required and no user interaction. The CVSS vector is AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating confidentiality loss without integrity or availability impact in the base score. The published description says successful exploitation can expose critical data or all Oracle FLEXCUBE Direct Banking accessible data. NVD lists the affected CPEs as oracle:flexcube_direct_banking 12.0.2 and 12.0.3. The weakness is recorded as NVD-CWE-noinfo, so the root cause is not specified in the supplied sources.

Defensive priority

Medium. Treat as a patch and exposure-reduction issue for any affected FLEXCUBE Direct Banking deployment, especially if the service is reachable over HTTP from networks beyond the immediate administrative boundary.

Recommended defensive actions

Verify whether Oracle FLEXCUBE Direct Banking versions 12.0.2 or 12.0.3 are deployed in any production, test, or DR environment.
Review Oracle's January 2017 CPU advisory referenced by NVD for vendor remediation guidance.
Restrict network reachability to the application to only required administrative or business sources, with special attention to HTTP exposure.
Apply Oracle-provided remediation or upgrade guidance for affected releases as soon as operationally feasible.
Audit access controls and authentication paths around FLEXCUBE Direct Banking to reduce the impact of low-privilege access.
Validate that monitoring and logging are enabled for suspicious access to sensitive banking data.

Evidence notes

Source corpus includes the official CVE record and NVD detail page, plus NVD metadata referencing Oracle's January 2017 CPU advisory and secondary references. The published CVE description states the affected product, versions, attack conditions, and confidentiality impact. NVD provides the CVSS 3.0 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N and lists the vulnerable CPEs for versions 12.0.2 and 12.0.3. No exploit code, proof-of-concept, or active exploitation status is present in the supplied sources.

Official resources

CVE-2017-3297 CVE record
CVE.org
CVE-2017-3297 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

Published by NVD/CVE on 2017-01-27. The supplied sources do not include a later exploit disclosure, KEV listing, or ransomware linkage.