PatchSiren cyber security CVE debrief

CVE-2017-3327 Oracle CVE debrief

CVE-2017-3327 is an Oracle E-Business Suite Common Applications vulnerability in the Resources Module that affects several supported 12.1.x and 12.2.x releases. Oracle and NVD describe it as network-reachable over HTTP, unauthenticated, and requiring human interaction, with potential impact to sensitive data confidentiality and integrity. Organizations running affected E-Business Suite instances should treat it as a high-priority patching item, especially where the application handles critical business or customer data.

Vendor: Oracle
Product: CVE-2017-3327
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Security and application teams responsible for Oracle E-Business Suite, especially Common Applications/Resources Module deployments on affected 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 versions. Any organization exposing EBS through HTTP or integrating it with sensitive internal systems should review exposure promptly.

Technical summary

The NVD record lists CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a network-exploitable issue with no privileges required but requiring user interaction. The affected CPEs cover Oracle Common Applications versions 12.1.1 through 12.2.6. The vendor advisory referenced by NVD is Oracle CPU January 2017. Based on the provided data, successful exploitation can expose critical data and allow unauthorized modification of some accessible data.

Defensive priority

High

Recommended defensive actions

Confirm whether any Oracle E-Business Suite Common Applications instances are running the affected versions listed in the advisory.
Review Oracle CPU January 2017 guidance and apply the vendor remediation for CVE-2017-3327 where applicable.
Restrict access to E-Business Suite HTTP interfaces to trusted networks until remediation is complete.
Audit for unusual access to Common Applications data and review logs around user-interactive workflows that could be abused.
Validate downstream systems and integrations that depend on E-Business Suite data, since the advisory notes possible impact beyond the directly affected component.

Evidence notes

Source corpus ties this CVE to Oracle Common Applications in Oracle E-Business Suite Resources Module and lists affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. NVD supplies CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and classifies the weakness as NVD-CWE-noinfo. The Oracle CPU January 2017 advisory is referenced in the NVD record. PublishedAt is 2017-01-27T22:59:04.820Z; no KEV entry is supplied in the provided corpus.

Official resources

CVE-2017-3327 CVE record
CVE.org
CVE-2017-3327 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

Publicly disclosed in the CVE record on 2017-01-27. The provided source corpus includes Oracle CPU January 2017 and the NVD entry; no CISA KEV data is supplied for this CVE.