PatchSiren cyber security CVE debrief
CVE-2017-3351 Oracle CVE debrief
CVE-2017-3351 is a high-severity vulnerability in Oracle Marketing, a component of Oracle E-Business Suite. The issue is remotely reachable over HTTP, does not require attacker authentication, and can affect confidentiality and integrity of Oracle Marketing data. Because successful exploitation requires human interaction, defenders should treat it as a serious but user-assisted web exposure risk. The CVE was published on 2017-01-27 and the record was later updated on 2026-05-13.
- Vendor
- Oracle
- Product
- CVE-2017-3351
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, Oracle Marketing owners, application security teams, and SOC analysts monitoring externally reachable enterprise web applications.
Technical summary
NVD lists affected Oracle Marketing versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network attackability, no privileges required, and a user-interaction dependency. The record describes potential unauthorized access to critical data or complete access to Oracle Marketing accessible data, plus unauthorized update, insert, or delete capabilities for some data.
Defensive priority
High. The combination of unauthenticated network exposure and material data impact makes this a priority patching and exposure-review item for Oracle E-Business Suite environments.
Recommended defensive actions
- Apply Oracle's published security update referenced in the January 2017 CPU advisory.
- Confirm whether any deployed Oracle Marketing instances match the affected versions listed in NVD.
- Reduce exposure of Oracle E-Business Suite web interfaces to only trusted networks and users where possible.
- Review authentication, session, and access logs for suspicious interaction with Oracle Marketing pages or workflows.
- Validate compensating controls for user interaction-dependent web attacks, including monitoring for phishing or click-through abuse.
- Coordinate remediation across dependent systems because the CVE description notes possible impact to additional products.
Evidence notes
All claims above are grounded in the supplied NVD CVE record and the referenced Oracle CPU January 2017 advisory. The record identifies Oracle Marketing as the affected product, lists the impacted versions, and provides the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The CVE was published on 2017-01-27 and the record was modified on 2026-05-13; those dates reflect record timing, not separate vulnerability discovery dates.
Official resources
-
CVE-2017-3351 CVE record
CVE.org
-
CVE-2017-3351 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the CVE record on 2017-01-27; the NVD record was later modified on 2026-05-13. The supplied corpus does not include KEV listing or ransomware campaign attribution.