PatchSiren cyber security CVE debrief
CVE-2017-3352 Oracle CVE debrief
CVE-2017-3352 is a high-severity Oracle Marketing vulnerability in Oracle E-Business Suite. Oracle and NVD describe it as an easily exploitable issue that can be reached over HTTP by an unauthenticated attacker, but it requires human interaction. If exploited, it can expose critical data and allow unauthorized changes to Oracle Marketing data, with possible impact beyond the Marketing component. The CVE was published on 2017-01-27, and the vendor advisory referenced in NVD is Oracle’s January 2017 Critical Patch Update.
- Vendor
- Oracle
- Product
- CVE-2017-3352
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, Oracle Marketing owners, application security teams, and incident responders should care most—especially if any supported Oracle Marketing 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 deployments are exposed to network access.
Technical summary
NVD lists CVSS v3.0 8.2 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. That means the issue is network-reachable, requires low attacker effort, needs no privileges, but does require user interaction. The disclosed impact is high confidentiality loss and some integrity loss, with no direct availability impact recorded. NVD maps the affected product to Oracle Marketing versions 12.1.1 through 12.2.6, and Oracle’s CPU advisory is the referenced vendor remediation source.
Defensive priority
High. This is an internet-reachable, unauthenticated issue with significant confidentiality impact and some integrity impact, so exposed Oracle E-Business Suite environments should be prioritized for patch verification and exposure reduction.
Recommended defensive actions
- Confirm whether Oracle Marketing is deployed in any affected version range: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
- Apply the relevant Oracle Critical Patch Update referenced by the vendor advisory and verify the patch is installed.
- Restrict network exposure to Oracle E-Business Suite interfaces, especially any HTTP-accessible endpoints.
- Review access controls and application logs for unexpected data access or unauthorized record changes in Oracle Marketing.
- Because user interaction is required, assess email, workflow, and user-facing entry points that could be used to trigger the flaw.
- Coordinate with business owners to validate whether additional Oracle products could be affected by downstream impact, as described in the advisory.
Evidence notes
Source corpus states the vulnerability affects Oracle Marketing in Oracle E-Business Suite and lists supported affected versions. NVD provides the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and references Oracle’s January 2017 CPU advisory as the mitigation/vendor reference. No exploit steps or code are included here.
Official resources
-
CVE-2017-3352 CVE record
CVE.org
-
CVE-2017-3352 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the CVE record on 2017-01-27. Oracle’s January 2017 Critical Patch Update is the vendor advisory referenced by NVD.