PatchSiren cyber security CVE debrief
CVE-2017-3360 Oracle CVE debrief
CVE-2017-3360 is a high-severity Oracle Customer Intelligence vulnerability in Oracle E-Business Suite. According to NVD, it affects supported versions 12.1.1, 12.1.2, and 12.1.3 and is accessible over HTTP from a network attacker without authentication, but successful exploitation requires human interaction. The published impact is serious: unauthorized access to critical data, full access to Oracle Customer Intelligence data, and unauthorized modification of some data.
- Vendor
- Oracle
- Product
- CVE-2017-3360
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and SOC analysts responsible for Oracle Customer Intelligence deployments, especially environments running versions 12.1.1, 12.1.2, or 12.1.3 exposed to HTTP access.
Technical summary
NVD lists the vulnerability as CVSS 3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). The issue is in the Oracle Customer Intelligence component, subcomponent User Interface, and is reachable by an unauthenticated attacker over the network via HTTP. The documented impact centers on confidentiality and integrity, with the potential for unauthorized access to critical data and unauthorized update, insert, or delete access to some accessible data. The NVD record also notes that attacks may significantly impact additional products.
Defensive priority
High. The combination of network reachability, lack of authentication, and meaningful confidentiality/integrity impact makes this a priority issue even though user interaction is required. Systems running the affected Oracle Customer Intelligence versions should be reviewed promptly and patched according to Oracle guidance.
Recommended defensive actions
- Confirm whether Oracle Customer Intelligence versions 12.1.1, 12.1.2, or 12.1.3 are deployed.
- Apply Oracle's January 2017 Critical Patch Update or a later vendor-fixed release referenced by Oracle.
- Reduce or restrict HTTP exposure to affected Oracle E-Business Suite interfaces where feasible.
- Review logs and application activity for unexpected or abnormal Oracle Customer Intelligence UI requests.
- Validate that remediation has been completed across all affected instances, including any environments that share the same deployment path or data access patterns.
Evidence notes
The CVE description and NVD record identify the affected Oracle Customer Intelligence versions, the network/HTTP attack path, the requirement for human interaction, and the confidentiality/integrity impact. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Oracle's January 2017 security advisory is listed as the vendor patch reference.
Official resources
-
CVE-2017-3360 CVE record
CVE.org
-
CVE-2017-3360 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly published by NVD on 2017-01-27; Oracle's January 2017 Critical Patch Update is the vendor reference listed in the source corpus.