PatchSiren cyber security CVE debrief
CVE-2017-3350 Oracle CVE debrief
CVE-2017-3350 is a high-severity Oracle Marketing vulnerability in Oracle E-Business Suite that can be reached over HTTP by an unauthenticated network attacker, but successful exploitation requires human interaction from someone other than the attacker. Oracle and NVD describe potentially serious confidentiality and integrity impact, including unauthorized access to critical data and unauthorized update/insert/delete access to some Oracle Marketing data.
- Vendor
- Oracle
- Product
- CVE-2017-3350
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, Oracle Marketing owners, security teams managing internet-facing or user-interactive EBS deployments, and incident responders responsible for protecting sensitive business data.
Technical summary
NVD lists the issue in Oracle Marketing (Oracle E-Business Suite, User Interface subcomponent) with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Affected supported versions are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The vulnerability is reachable via HTTP, does not require attacker authentication, and may affect additional products due to scope change. The described impact includes unauthorized access to critical data or all Oracle Marketing accessible data, plus unauthorized modification of some accessible data.
Defensive priority
High. Prioritize remediation for any Oracle E-Business Suite instance running Oracle Marketing, especially systems accessible over the network and any deployment where users may interact with exposed workflows.
Recommended defensive actions
- Confirm whether Oracle Marketing is deployed in any supported Oracle E-Business Suite instance and map affected versions against 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
- Review the Oracle Critical Patch Update advisory referenced by NVD for the vendor remediation guidance.
- Apply Oracle's documented patch or mitigation as soon as practical, prioritizing externally reachable systems.
- Restrict network exposure to Oracle E-Business Suite components where possible, especially HTTP-accessible paths.
- Monitor for suspicious user-interaction workflows and unusual access to Oracle Marketing data.
- Validate that backups and recovery procedures are current before applying changes to production systems.
Evidence notes
This debrief is grounded in the supplied NVD record and the Oracle CPU January 2017 vendor advisory reference. The NVD entry states that the vulnerability affects Oracle Marketing in Oracle E-Business Suite, is easily exploitable by an unauthenticated attacker with network access via HTTP, and requires human interaction. The record also lists the vulnerable versions and the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The Oracle advisory URL is included in the NVD references as the vendor patch reference.
Official resources
-
CVE-2017-3350 CVE record
CVE.org
-
CVE-2017-3350 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
CVE first published on 2017-01-27; this debrief uses that published date for timing context.