PatchSiren cyber security CVE debrief
CVE-2017-3335 Oracle CVE debrief
CVE-2017-3335 is a high-severity vulnerability in the Oracle Marketing component of Oracle E-Business Suite. According to the NVD record, an unauthenticated attacker with network access via HTTP can compromise Oracle Marketing, but success requires user interaction. Oracle’s description says the issue can lead to unauthorized access to critical data or complete access to Oracle Marketing accessible data, along with unauthorized update, insert, or delete actions on some of that data. Oracle also notes that the impact may extend to additional products.
- Vendor
- Oracle
- Product
- CVE-2017-3335
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and organizations running the affected Oracle Marketing versions should care most. This is especially important for environments exposing Oracle Marketing to untrusted networks or users.
Technical summary
NVD classifies the issue as CVSS v3.0 8.2 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The vulnerable product scope in the supplied record covers Oracle Marketing versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The attack surface is network-based over HTTP, does not require privileges, and has a user-interaction requirement. The documented impact is primarily confidentiality and integrity, including unauthorized access to sensitive Oracle Marketing data and limited unauthorized modification.
Defensive priority
High. The combination of network reachability, no privileges, and strong data-exposure impact makes this worth prompt remediation, even though user interaction is required.
Recommended defensive actions
- Review Oracle’s January 2017 Critical Patch Update advisory for the applicable Oracle Marketing/E-Business Suite release and apply the vendor fix or cumulative update identified there.
- Confirm whether any of the affected Oracle Marketing versions listed in the record are deployed in your environment.
- Reduce exposure of Oracle Marketing interfaces to untrusted networks where possible, especially any HTTP-accessible entry points.
- Audit authentication, authorization, and user-interaction flows around Oracle Marketing to identify where users could be induced into completing the required interaction.
- Prioritize validation of data-access controls and monitor for unusual reads or write activity against Oracle Marketing data.
- Track Oracle and NVD updates for this CVE and related product advisories before and after remediation.
Evidence notes
This debrief is based on the supplied NVD record and its Oracle advisory references. The record explicitly states the affected versions, network/HTTP access, user-interaction requirement, CVSS vector, and impact statements. The source corpus does not provide the full Oracle advisory text, exploitation details, or confirmed exploit activity, and no Known Exploited Vulnerabilities entry was supplied.
Official resources
-
CVE-2017-3335 CVE record
CVE.org
-
CVE-2017-3335 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
CVE published on 2017-01-27. The supplied NVD record was last modified on 2026-05-13. No KEV listing was provided in the source corpus.