PatchSiren cyber security CVE debrief
CVE-2017-3348 Oracle CVE debrief
CVE-2017-3348 is a high-severity Oracle Marketing vulnerability in Oracle E-Business Suite's User Interface component. Oracle and NVD describe it as easily exploitable over HTTP by an unauthenticated network attacker, but with required human interaction. Successful exploitation can expose critical data and allow unauthorized changes in Oracle Marketing, with possible impact beyond the component itself. The CVE was published on 2017-01-27 and should be treated as a patch-priority issue for any affected deployment.
- Vendor
- Oracle
- Product
- CVE-2017-3348
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and anyone responsible for Oracle Marketing instances running versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
Technical summary
NVD maps the issue to Oracle Marketing in Oracle E-Business Suite and marks the affected CPEs for versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which reflects a network-reachable issue with no privileges required, but with required user interaction and cross-component security impact. The vulnerability can lead to unauthorized access to critical data and unauthorized update/insert/delete access to some Oracle Marketing data.
Defensive priority
High. The issue is network-reachable, unauthenticated, and rated CVSS 8.2 (HIGH), with available vendor remediation referenced in Oracle's January 2017 CPU advisory.
Recommended defensive actions
- Confirm whether Oracle Marketing is deployed and whether any instance matches the affected versions listed by NVD.
- Apply Oracle's January 2017 CPU remediation referenced in the vendor advisory for CVE-2017-3348.
- Reduce exposure of Oracle E-Business Suite interfaces to only required networks and users, especially HTTP-accessible entry points.
- Review access controls and user-training controls to reduce the likelihood of the required human interaction leading to compromise.
- Check for unauthorized data access or changes in Oracle Marketing data on exposed systems and investigate any suspicious activity.
Evidence notes
This debrief is based only on the provided CVE/NVD corpus and the linked Oracle advisory and CVE records. Key facts used: publication date 2017-01-27, last modified 2026-05-13, Oracle Marketing/E-Business Suite affected versions, CVSS 3.0 score 8.2, vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, and the stated confidentiality/integrity impact. NVD lists CWE as NVD-CWE-noinfo, so no more specific weakness classification is asserted here.
Official resources
-
CVE-2017-3348 CVE record
CVE.org
-
CVE-2017-3348 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly published on 2017-01-27; the supplied NVD record was last modified on 2026-05-13.