PatchSiren cyber security CVE debrief
CVE-2017-3340 Oracle CVE debrief
CVE-2017-3340 is an Oracle Marketing vulnerability in Oracle E-Business Suite’s user interface component. Oracle’s description says it is easily exploitable over HTTP by an unauthenticated network attacker, but successful exploitation requires human interaction from someone other than the attacker. The stated impact is serious confidentiality and integrity exposure, including unauthorized access to critical data and unauthorized update, insert, or delete access to some Oracle Marketing data.
- Vendor
- Oracle
- Product
- CVE-2017-3340
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, Oracle Marketing owners, application security teams, and any organization exposing the affected Oracle Marketing versions to network access should treat this as important.
Technical summary
NVD maps this issue to Oracle Marketing versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which reflects network reachability, no privileges required, required user interaction, and high confidentiality impact with some integrity impact. Oracle’s summary states that successful attacks can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data, plus unauthorized modification of some of that data.
Defensive priority
High. The issue is network-reachable, requires no attacker privileges, and can expose or alter sensitive business data, even though user interaction is required.
Recommended defensive actions
- Apply Oracle’s January 2017 Critical Patch Update or a later cumulative release that includes the fix for CVE-2017-3340.
- Inventory Oracle E-Business Suite deployments and confirm whether Oracle Marketing is running one of the affected versions listed by NVD.
- Restrict network exposure to Oracle Marketing where possible, especially HTTP access from untrusted networks.
- Review authentication, session, and UI access paths around Oracle Marketing and monitor for unusual user-driven request flows.
- Increase logging and alerting for Oracle Marketing web activity, especially requests that could indicate abuse of the affected UI paths.
- If patching must be delayed, isolate the system to trusted networks and minimize access to only necessary users and hosts.
Evidence notes
The supplied NVD record identifies Oracle Marketing as affected and enumerates the vulnerable versions. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. NVD references Oracle’s January 2017 CPU advisory and SecurityFocus BID 95500. No CISA KEV entry is provided in the supplied enrichment.
Official resources
-
CVE-2017-3340 CVE record
CVE.org
-
CVE-2017-3340 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the Oracle/NVD record on 2017-01-27; the NVD record was last modified on 2026-05-13.