PatchSiren cyber security CVE debrief
CVE-2017-3338 Oracle CVE debrief
CVE-2017-3338 affects the Oracle Marketing component of Oracle E-Business Suite. Oracle and NVD describe it as an easily exploitable issue reachable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction from a separate person. The issue can expose critical Oracle Marketing data and allow unauthorized modification of some data, giving it a CVSS v3.0 base score of 8.2 (High).
- Vendor
- Oracle
- Product
- CVE-2017-3338
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, Oracle Marketing owners, application security teams, and incident responders responsible for internet-facing or user-facing Oracle business applications.
Technical summary
NVD lists the vulnerable Oracle Marketing versions as 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network attackability, no privileges required, and required user interaction. The reported impacts are confidentiality and integrity focused: unauthorized access to critical data or all accessible Oracle Marketing data, plus unauthorized update, insert, or delete access to some data. Oracle's January 2017 critical patch advisory is cited by NVD as the vendor remediation reference.
Defensive priority
High priority for any environment running affected Oracle Marketing releases, especially where users access the application over HTTP or where business processes could be influenced by user interaction.
Recommended defensive actions
- Identify whether any listed Oracle Marketing versions are deployed, including 12.1.1 through 12.2.6 as named by NVD.
- Review Oracle's January 2017 Critical Patch Update advisory referenced by NVD and apply the vendor-recommended remediation.
- Reduce exposure of Oracle Marketing interfaces to untrusted networks where possible, especially HTTP-accessible paths.
- Review authentication, session handling, and user workflows that could enable unintended human interaction with malicious content.
- Monitor for unusual access to Oracle Marketing data and for unauthorized create, update, or delete activity.
- Validate that adjacent Oracle E-Business Suite components do not inherit exposure from Oracle Marketing workflows or shared access paths.
Evidence notes
The summary is based on the supplied NVD record and its vendor references. NVD lists the affected Oracle Marketing versions, the CVSS v3.0 vector, and the impact statement. The Oracle CPU January 2017 advisory is referenced by NVD as the vendor patch source. SecurityFocus BID 95500 is listed by NVD as an additional reference, but NVD and Oracle are the primary sources used here.
Official resources
-
CVE-2017-3338 CVE record
CVE.org
-
CVE-2017-3338 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in Oracle/NVD records on 2017-01-27. The supplied NVD record was last modified on 2026-05-13.