PatchSiren cyber security CVE debrief

CVE-2017-3299 Oracle CVE debrief

CVE-2017-3299 is an Oracle PeopleSoft Enterprise PeopleTools vulnerability in the PIA Search Functionality affecting supported versions 8.54 and 8.55. Oracle/NVD describe it as easily exploitable over HTTP by an unauthenticated network attacker, but successful exploitation requires human interaction from someone other than the attacker. If exploited, the issue can expose a subset of PeopleSoft PeopleTools data and allow unauthorized insert, update, delete, and read access. The CVSS v3.0 base score is 6.1 (Medium).

Vendor: Oracle
Product: CVE-2017-3299
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Organizations running Oracle PeopleSoft Enterprise PeopleTools 8.54 or 8.55, especially teams responsible for PeopleSoft web access, application security, and patch management. Because exploitation is network-based and interacts with the PIA Search Functionality, internet-facing or broadly reachable PeopleSoft deployments should be prioritized.

Technical summary

The NVD record classifies the flaw with CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable issue with low attack complexity, no privileges required, and user interaction required. The affected component is PeopleSoft Enterprise PeopleTools, subcomponent PIA Search Functionality. The described impact is limited to confidentiality and integrity: unauthorized read access to a subset of accessible data, plus unauthorized insert/update/delete access to some accessible data. NVD lists affected CPEs for Oracle PeopleSoft Enterprise PeopleTools 8.54 and 8.55.

Defensive priority

Medium. The vulnerability is reachable over HTTP and does not require attacker authentication, but it does require user interaction and is not rated as a critical availability issue in the supplied data. Prioritize if the affected PeopleSoft instances are exposed to users or external networks.

Recommended defensive actions

Confirm whether any Oracle PeopleSoft Enterprise PeopleTools deployments are running versions 8.54 or 8.55.
Review Oracle's January 2017 Critical Patch Update advisory referenced by NVD and apply the vendor guidance or patch path that addresses this issue.
Restrict exposure of PeopleSoft web services and HTTP access to the minimum necessary network paths.
Monitor for unusual PeopleSoft PIA Search activity and unexpected data modification or access patterns.
Validate that patching, compensating controls, and configuration changes have been completed across all impacted environments.

Evidence notes

The supplied NVD record states the vulnerability was published on 2017-01-27 and later modified on 2026-05-13. Oracle's referenced January 2017 CPU advisory is the vendor patch reference in the supplied corpus. The record also shows no KEV listing in the provided data. All impact and version details in this debrief are drawn from the supplied CVE description and NVD metadata.

Official resources

CVE-2017-3299 CVE record
CVE.org
CVE-2017-3299 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

First published in the supplied data on 2017-01-27. No KEV date is provided in the supplied corpus.