PatchSiren cyber security CVE debrief
CVE-2017-3346 Oracle CVE debrief
CVE-2017-3346 is a high-severity Oracle Marketing vulnerability in the Oracle E-Business Suite user interface. Oracle and NVD describe it as easily exploitable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction from someone other than the attacker. The issue can expose critical data and may allow unauthorized read and write access to Oracle Marketing data. Oracle identifies affected supported versions as 12.1.1 through 12.1.3 and 12.2.3 through 12.2.6.
- Vendor
- Oracle
- Product
- CVE-2017-3346
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Organizations running Oracle E-Business Suite Oracle Marketing on any affected supported version should prioritize this issue, especially environments exposed to network users or where marketing data is sensitive. Security and application teams managing Oracle CPU remediation should also care because the vulnerability is internet-reachable in principle and impacts confidentiality and integrity.
Technical summary
NVD records the weakness as CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network attackability, low complexity, no privileges required, and user interaction needed. The affected component is Oracle Marketing within Oracle E-Business Suite, specifically the User Interface subcomponent. NVD lists vulnerable CPEs for versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The available classification is NVD-CWE-noinfo, so the corpus does not provide a more specific weakness category.
Defensive priority
High. The score is 8.2 and the stated impact includes unauthorized access to critical data and unauthorized update, insert, or delete access to some Oracle Marketing data. Even though user interaction is required, the combination of network exposure and sensitive data impact makes timely remediation important.
Recommended defensive actions
- Review Oracle's January 2017 CPU advisory for CVE-2017-3346 and apply the vendor-recommended remediation for affected Oracle Marketing versions.
- Confirm whether any Oracle E-Business Suite instances run affected versions 12.1.1-12.1.3 or 12.2.3-12.2.6.
- Reduce exposure of Oracle Marketing interfaces to only required network paths and authorized users.
- Monitor for anomalous Oracle Marketing activity involving unexpected data access or changes until remediation is complete.
- Track remediation status across all environments because the vulnerability can affect additional products according to the vendor description.
Evidence notes
This debrief is based only on the supplied CVE/NVD corpus and the linked Oracle and NVD references. The corpus states the affected product, versions, attack characteristics, impact, CVSS vector, and publication/modified timestamps. No exploit details, workaround specifics, or patch identifiers beyond the vendor advisory link are included.
Official resources
-
CVE-2017-3346 CVE record
CVE.org
-
CVE-2017-3346 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
CVE published: 2017-01-27T22:59:05.287Z. NVD/source modified: 2026-05-13T00:24:29.033Z. Not listed as a Known Exploited Vulnerability in the supplied corpus.