PatchSiren cyber security CVE debrief

CVE-2017-3333 Oracle CVE debrief

CVE-2017-3333 is a high-severity Oracle Marketing vulnerability in Oracle E-Business Suite that Oracle and NVD describe as easily exploitable over HTTP by an unauthenticated attacker, but with required human interaction. The impact is primarily confidentiality and integrity loss, with potential unauthorized access to critical data and write actions against some Oracle Marketing data.

Vendor: Oracle
Product: CVE-2017-3333
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Organizations running affected Oracle E-Business Suite Marketing versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 should prioritize review, especially teams exposing Oracle Marketing to network access or relying on it for sensitive customer and campaign data.

Technical summary

NVD lists the vulnerable component as Oracle Marketing (User Interface subcomponent) and maps affected CPEs to the versions in Oracle's advisory. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network reachability, no privileges required, user interaction required, and scope change with high confidentiality impact and low integrity impact. NVD's weakness classification is generic (NVD-CWE-noinfo), so the source corpus does not provide a precise CWE.

Defensive priority

High. The combination of unauthenticated network exposure, user interaction requirement, and high confidentiality impact makes this worth prompt patch verification and exposure review for any organization using the affected Oracle Marketing versions.

Recommended defensive actions

Verify whether Oracle Marketing versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 are deployed anywhere in the environment.
Apply the Oracle patch or remediation referenced in Oracle's January 2017 CPU advisory.
Review any externally reachable HTTP paths to Oracle Marketing and reduce exposure where possible.
Confirm whether dependent business processes or adjacent Oracle products could be affected by compromised Oracle Marketing data.
Because user interaction is required, review user-facing workflows and train users to treat unexpected prompts or links involving Oracle Marketing with caution.
Reassess access controls and logging around Oracle Marketing data that would be sensitive if read or modified.

Evidence notes

All core claims come from the supplied NVD record and its referenced Oracle advisory. The record states the issue is in Oracle Marketing's User Interface subcomponent, affects the listed versions, is exploitable over HTTP by an unauthenticated attacker, requires human interaction, and can lead to unauthorized access and some data modification. The provided NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The NVD weakness field is NVD-CWE-noinfo, so no more specific weakness should be inferred from the corpus.

Official resources

CVE-2017-3333 CVE record
CVE.org
CVE-2017-3333 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the CVE/NVD record on 2017-01-27, with Oracle's January 2017 CPU advisory cited by NVD as the vendor patch reference.