PatchSiren cyber security CVE debrief
CVE-2017-3353 Oracle CVE debrief
CVE-2017-3353 affects the Oracle Marketing component of Oracle E-Business Suite, specifically the User Interface subcomponent. Oracle describes it as easily exploitable over HTTP by an unauthenticated network attacker, but successful exploitation requires human interaction from another person. The impact is serious: attackers may gain unauthorized access to critical data or all Oracle Marketing accessible data, and may also be able to update, insert, or delete some of that data. NVD rates the issue at CVSS 3.0 8.2 (High).
- Vendor
- Oracle
- Product
- CVE-2017-3353
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, Oracle Marketing owners, web application security teams, and incident responders responsible for systems running the affected Oracle Marketing versions.
Technical summary
The supplied NVD record lists CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and marks the affected Oracle Marketing versions as 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Oracle’s description says the flaw is easily exploitable via HTTP, requires no privileges, but does require human interaction. NVD also records the weakness as NVD-CWE-noinfo, so the corpus does not identify a more specific CWE.
Defensive priority
High. Treat as a near-term patching item for any environment running the affected Oracle Marketing versions, especially if the application is network-reachable or supports sensitive business data.
Recommended defensive actions
- Confirm whether any instance of Oracle E-Business Suite Marketing is running one of the affected versions: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
- Apply the Oracle security update referenced in the January 2017 Oracle Critical Patch Update advisory, or a later Oracle patch level that includes the fix for this CVE.
- Restrict network exposure to the Oracle Marketing user interface and review whether HTTP access is broader than necessary.
- Review authentication, session, and application logs for unusual Oracle Marketing activity around the affected interface.
- Limit data exposure with least-privilege access controls while remediation is pending.
- If patching must be delayed, document compensating controls and re-check them after any Oracle maintenance change.
Evidence notes
The debrief is based on the supplied NVD CVE record and its Oracle advisory references. The corpus identifies affected Oracle Marketing versions, the HTTP/network attack surface, the user-interaction requirement, the CVSS vector, and the January 27, 2017 publication date. No Known Exploited Vulnerabilities flag is present in the supplied data.
Official resources
-
CVE-2017-3353 CVE record
CVE.org
-
CVE-2017-3353 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
CVE and NVD records in the supplied corpus show publication on 2017-01-27, with the Oracle January 2017 Critical Patch Update advisory cited as the vendor reference.