PatchSiren cyber security CVE debrief

CVE-2017-3366 Oracle CVE debrief

CVE-2017-3366 is a high-severity Oracle Knowledge Management vulnerability in Oracle E-Business Suite. According to NVD and the Oracle-linked advisory reference, affected supported versions include 12.1.1, 12.1.2, and 12.1.3. The issue is network-reachable over HTTP and does not require authentication, but successful exploitation does require human interaction by a person other than the attacker. Impact is primarily on confidentiality and integrity, including unauthorized access to critical data or broader access to Oracle Knowledge Management data.

Vendor: Oracle
Product: CVE-2017-3366
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for Oracle E-Business Suite deployments that include the Knowledge Management component, especially systems running 12.1.1, 12.1.2, or 12.1.3 and exposed to network access.

Technical summary

NVD lists the CVSS v3.0 vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which aligns with an unauthenticated network attack that depends on user interaction. The vulnerability is scoped to Oracle Knowledge Management (User Interface subcomponent) in Oracle E-Business Suite. NVD identifies vulnerable CPEs for Oracle Knowledge Management 12.1.1, 12.1.2, and 12.1.3. The record does not provide a CWE-specific classification beyond NVD-CWE-noinfo.

Defensive priority

High. If you operate any affected Oracle Knowledge Management instance, prioritize patching or vendor-guided mitigation and treat externally reachable deployments as urgent review candidates.

Recommended defensive actions

Check whether Oracle E-Business Suite Knowledge Management 12.1.1, 12.1.2, or 12.1.3 is deployed in your environment.
Review Oracle's January 2017 CPU advisory reference listed by NVD for remediation guidance and patches.
Restrict access to the affected application interface while remediation is pending, especially where user interaction could be induced.
Monitor for unusual access to Knowledge Management data and administrative changes until patched.
Confirm whether the vulnerable component is exposed to broader network segments or internet-facing paths and reduce exposure where possible.

Evidence notes

All claims are based on the supplied NVD record and its listed Oracle/BID references. The CVE was published on 2017-01-27T22:59:05.850Z; the 2026-05-13 modified timestamp reflects record maintenance, not the vulnerability's original disclosure date. The source corpus identifies Oracle as the vendor, the affected product as Oracle Knowledge Management in Oracle E-Business Suite, and the vulnerable versions as 12.1.1, 12.1.2, and 12.1.3.

Official resources

CVE-2017-3366 CVE record
CVE.org
CVE-2017-3366 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]

Published by CVE/NVD on 2017-01-27. NVD record last modified on 2026-05-13. Oracle CPU January 2017 advisory is listed in the NVD references.