PatchSiren cyber security CVE debrief
CVE-2017-3364 Oracle CVE debrief
CVE-2017-3364 is a high-severity Oracle Knowledge Management vulnerability in Oracle E-Business Suite. Oracle and NVD identify affected supported versions as 12.1.1, 12.1.2, and 12.1.3. The issue is network-reachable over HTTP, requires no attacker authentication, and can still have serious consequences because successful exploitation may expose critical data or allow unauthorized updates, inserts, or deletes in Oracle Knowledge Management. The CVSS v3.0 score is 8.2, reflecting a strong confidentiality and integrity impact.
- Vendor
- Oracle
- Product
- CVE-2017-3364
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application owners, and security teams responsible for Oracle Knowledge Management deployments, especially environments exposing the interface to network access.
Technical summary
The supplied NVD record describes a vulnerability in the Oracle Knowledge Management component of Oracle E-Business Suite, specifically the User Interface subcomponent. The attack vector is network-based (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). NVD assigns CVSS v3.0 8.2 with scope changed and impacts of high confidentiality (C:H), low integrity (I:L), and no availability impact (A:N). Oracle/NVD list supported affected versions as 12.1.1, 12.1.2, and 12.1.3.
Defensive priority
High. The vulnerability is unauthenticated and network-reachable, and it can expose sensitive data or permit unauthorized changes, even though successful exploitation requires human interaction.
Recommended defensive actions
- Confirm whether Oracle E-Business Suite Knowledge Management 12.1.1, 12.1.2, or 12.1.3 is deployed in your environment.
- Apply the Oracle Critical Patch Update for January 2017 or the latest cumulative Oracle patches that include the fix for CVE-2017-3364.
- Restrict network access to the Knowledge Management interface to trusted users and networks where possible.
- Review access controls and user workflows around the Knowledge Management UI to reduce exposure to untrusted interaction.
- Monitor for unusual Knowledge Management activity, especially unexpected data reads or change operations.
- Use the Oracle security advisory and NVD record to validate remediation status and affected product scope.
Evidence notes
This debrief is based on the supplied NVD CVE record and Oracle vendor advisory reference. The record states the affected Oracle Knowledge Management versions, the HTTP/network attack context, the user-interaction requirement, and the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The CVE was published on 2017-01-27 and the NVD record was modified on 2026-05-13; those dates are used only as record timing context.
Official resources
-
CVE-2017-3364 CVE record
CVE.org
-
CVE-2017-3364 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the Oracle/NVD records on 2017-01-27; the NVD entry was last modified on 2026-05-13.