PatchSiren cyber security CVE debrief

CVE-2017-3303 Oracle CVE debrief

CVE-2017-3303 affects the Oracle XML Gateway component of Oracle E-Business Suite, specifically the Oracle Transport Agent subcomponent. According to NVD, the issue is exploitable over the network via HTTP, requires user interaction, and can lead to unauthorized access to sensitive XML Gateway data as well as unauthorized data modification. Oracle lists affected supported versions as 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The published CVSS v3.0 score is 8.2 (High).

Vendor: Oracle
Product: CVE-2017-3303
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, IAM/applications teams, SOC analysts, and vulnerability management teams responsible for Oracle XML Gateway deployments should prioritize this CVE, especially where the service is reachable over HTTP.

Technical summary

NVD classifies the issue as CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a remotely reachable flaw with no privileges required but with user interaction needed. The stated impact is strong confidentiality exposure and some integrity impact, with changed scope. The affected product set in the source corpus is Oracle XML Gateway for E-Business Suite versions 12.1.1 through 12.2.6 as listed by NVD.

Defensive priority

High. Prioritize remediation for any Oracle E-Business Suite environment exposing XML Gateway or the Transport Agent, particularly if reachable from untrusted networks.

Recommended defensive actions

Inventory Oracle E-Business Suite deployments and confirm whether Oracle XML Gateway / Transport Agent is present on affected versions.
Apply the Oracle security update referenced in the January 2017 CPU advisory that addresses CVE-2017-3303, and verify that the fix is included in your current patch level.
Restrict HTTP access to Oracle XML Gateway to trusted sources only, using network controls, allowlists, or private connectivity where feasible.
Monitor for unusual XML Gateway requests and unexpected data changes, especially if the environment supports sensitive business documents or integrations.
Review user-facing workflows that could satisfy the required interaction path and reduce exposure through user awareness and access controls.

Evidence notes

This debrief is based only on the supplied CVE record, NVD metadata, and the linked Oracle/NVD references present in the corpus. Timing uses the CVE published date of 2017-01-27; the later NVD modified date of 2026-05-13 is treated only as source update context, not as the vulnerability issue date. No exploit details are included.

Official resources

CVE-2017-3303 CVE record
CVE.org
CVE-2017-3303 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

Publicly disclosed and published in the CVE record on 2017-01-27. NVD shows a later metadata modification on 2026-05-13, which does not change the original publication date.