CVE-2017-3363 Oracle CVE debrief

Who should care

Organizations running Oracle E-Business Suite with Oracle Knowledge Management enabled, especially environments still on versions 12.1.1, 12.1.2, or 12.1.3. Security teams should also care because the vulnerability is unauthenticated, network-accessible, and can expose or alter critical data.

Technical summary

NVD lists the affected CPEs as oracle:knowledge_management 12.1.1, 12.1.2, and 12.1.3. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating remote access with no privileges required, but with user interaction needed. The stated impacts include unauthorized access to critical data or complete access to Oracle Knowledge Management-accessible data, plus unauthorized update, insert, or delete access to some data. The CVE description also notes that attacks may significantly impact additional products.

Defensive priority

High

Recommended defensive actions

• Verify whether Oracle E-Business Suite Knowledge Management is deployed in any environment running versions 12.1.1, 12.1.2, or 12.1.3.
• Review Oracle's January 2017 Critical Patch Update advisory for applicable fixes and deployment guidance.
• Prioritize patching or compensating controls on internet-reachable or broadly accessible HTTP endpoints that expose Oracle Knowledge Management.
• Limit user interaction pathways to sensitive workflows where practical, since exploitation requires human interaction.
• Monitor for unexpected changes to Knowledge Management data and access patterns, especially unauthorized reads and modifications.

Evidence notes

Source corpus: NVD CVE detail and modified record for CVE-2017-3363, including the published description, CVSS vector, affected CPEs, and Oracle reference links. The CVE was published on 2017-01-27T22:59:05.757Z and later modified on 2026-05-13T00:24:29.033Z; the debrief uses the CVE publication date for timing context. No exploit details are included.

Official resources