PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3341 Oracle CVE debrief

CVE-2017-3341 is a high-severity Oracle Marketing vulnerability in Oracle E-Business Suite’s user interface component. According to the NVD record, an unauthenticated attacker with network access via HTTP can exploit the issue, but successful attacks require human interaction from someone other than the attacker. Oracle’s description indicates the impact can include unauthorized access to critical data, complete access to Oracle Marketing accessible data, and unauthorized update, insert, or delete access to some of that data. The issue was published on 2017-01-27.

Vendor
Oracle
Product
CVE-2017-3341
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Organizations running Oracle E-Business Suite deployments that include Oracle Marketing, especially the affected versions listed in the NVD record (12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6). Security teams, application owners, and administrators responsible for externally reachable Oracle web interfaces should prioritize review.

Technical summary

NVD describes CVE-2017-3341 as a network-reachable vulnerability affecting Oracle Marketing, a component of Oracle E-Business Suite, with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and a base score of 8.2. The attack does not require prior authentication, but it does require human interaction. The source data ties the affected versions to Oracle Marketing 12.1.1 through 12.2.6. The reported impact is primarily confidentiality and integrity: unauthorized access to critical data, broad access to Oracle Marketing-accessible data, and limited unauthorized modification of some accessible data. The source record does not provide a more specific CWE beyond NVD-CWE-noinfo.

Defensive priority

High. The combination of network reachability, no authentication requirement, human interaction, and high confidentiality impact makes this important to patch and verify quickly in any environment running affected Oracle Marketing versions.

Recommended defensive actions

  • Review Oracle’s January 2017 CPU advisory referenced in the NVD record and confirm the applicable fix for your installed Oracle Marketing version.
  • Inventory Oracle E-Business Suite environments to identify any installations running the affected versions: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
  • Prioritize patching or compensating controls for any Oracle Marketing instance reachable over HTTP from untrusted networks.
  • Restrict network exposure of Oracle application interfaces where possible, and limit access to only required administrative or user networks.
  • Validate after remediation that the vulnerable Oracle Marketing components are updated and that no affected version remains exposed.
  • Review access logs around Oracle Marketing for unusual or unexpected user-interaction driven activity consistent with attempted exploitation.

Evidence notes

This debrief is based on the official NVD record for CVE-2017-3341 and its Oracle vendor advisory reference. The vulnerability publication date used here is the CVE published timestamp, 2017-01-27T22:59:05.193Z. The NVD record was later modified on 2026-05-13T00:24:29.033Z, but that modification date is not treated as the issue date. Supported affected versions and the CVSS vector are taken from the supplied source corpus.

Official resources

Publicly disclosed and published in the source record on 2017-01-27. The NVD record was modified later on 2026-05-13, but the CVE issue date remains 2017-01-27.