PatchSiren cyber security CVE debrief

CVE-2017-3326 Oracle CVE debrief

CVE-2017-3326 is a high-severity Oracle Common Applications issue in Oracle E-Business Suite’s Role Summary subcomponent. Oracle and NVD describe it as network-reachable over HTTP and unauthenticated, but exploitation requires user interaction by someone other than the attacker. Successful attacks can expose critical data and allow unauthorized changes to some accessible data.

Vendor: Oracle
Product: CVE-2017-3326
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running Oracle E-Business Suite Common Applications, especially versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Internet-facing deployments and environments where users may interact with attacker-controlled content are the highest concern.

Technical summary

NVD records this as CVSS 3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) with a primary weakness classification of NVD-CWE-noinfo. The vulnerability affects Oracle Common Applications in Oracle E-Business Suite, subcomponent Role Summary. The stated impact includes unauthorized access to critical data or complete access to accessible data, plus unauthorized update, insert, or delete access to some accessible data. The record identifies affected CPEs for Oracle Common Applications versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Defensive priority

High priority for Oracle E-Business Suite defenders because the issue is network reachable and unauthenticated, but it still depends on user interaction. Patch and validate exposure on any affected Common Applications deployment.

Recommended defensive actions

Check whether Oracle E-Business Suite Common Applications is deployed in any of the affected versions listed by NVD: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
Review Oracle’s January 2017 Critical Patch Update advisory referenced by NVD and apply the vendor remediation for affected systems.
Prioritize remediation for any internet-facing or broadly reachable HTTP-accessible Oracle E-Business Suite instances.
Reduce opportunities for unintended user interaction with untrusted content or links in environments where affected users may be targeted.
Validate that Oracle Common Applications instances are no longer on vulnerable versions after patching and document the change for asset inventory and compliance tracking.

Evidence notes

This debrief is based on the supplied NVD record for CVE-2017-3326, which cites Oracle’s January 2017 CPU advisory and lists affected Oracle Common Applications versions, CVSS 3.0 vector, and reference links. Claims are limited to the provided source corpus.

Official resources

CVE-2017-3326 CVE record
CVE.org
CVE-2017-3326 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

Publicly disclosed on 2017-01-27 in the Oracle January 2017 security advisory cycle and recorded by NVD the same day. The NVD entry was later modified on 2026-05-13.