PatchSiren cyber security CVE debrief
CVE-2017-3367 Oracle CVE debrief
CVE-2017-3367 is a high-severity Oracle Knowledge Management vulnerability in Oracle E-Business Suite. Oracle and NVD describe it as an easily exploitable issue reachable over HTTP by an unauthenticated attacker, but with a user interaction requirement. The expected impact is serious: unauthorized access to critical data, full access to Oracle Knowledge Management data, and unauthorized modification of some data. Oracle’s January 2017 CPU and the NVD record both identify affected supported versions 12.1.1, 12.1.2, and 12.1.3.
- Vendor
- Oracle
- Product
- CVE-2017-3367
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application owners, and security teams responsible for Oracle Knowledge Management deployments on versions 12.1.1, 12.1.2, or 12.1.3.
Technical summary
NVD lists the issue with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, reflecting network attackability, no privileges required, and a user-interaction step. The affected component is Oracle Knowledge Management’s user interface within Oracle E-Business Suite. The record cites Oracle CPU January 2017 as the vendor advisory reference and enumerates vulnerable CPEs for versions 12.1.1, 12.1.2, and 12.1.3. NVD’s weakness entry is NVD-CWE-noinfo, so the precise root-cause class is not specified in the supplied corpus.
Defensive priority
High. This is externally reachable, unauthenticated, and can expose or alter sensitive application data, so it should be prioritized for patching and exposure reduction.
Recommended defensive actions
- Review Oracle’s January 2017 Critical Patch Update advisory for the applicable fix guidance.
- Patch Oracle Knowledge Management installations running 12.1.1, 12.1.2, or 12.1.3 as soon as possible.
- Restrict network access to Oracle E-Business Suite and Oracle Knowledge Management interfaces to trusted sources only.
- Verify whether the affected component is deployed anywhere in the environment, including non-production systems.
- Validate that compensating controls and change windows still leave no exposed HTTP access to the vulnerable interface.
- After remediation, confirm the installed Oracle Knowledge Management version and document the patch status.
Evidence notes
Evidence is drawn from the official NVD record for CVE-2017-3367 and the Oracle January 2017 CPU reference URL included in the NVD references. The supplied NVD data states affected versions 12.1.1, 12.1.2, and 12.1.3, the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, and the impact statement covering unauthorized access to critical data and unauthorized updates/inserts/deletes to some data. The record was published on 2017-01-27 and last modified on 2026-05-13; those dates are the CVE record timeline, not the vulnerability creation date.
Official resources
-
CVE-2017-3367 CVE record
CVE.org
-
CVE-2017-3367 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the official CVE record and NVD on 2017-01-27. The NVD record was last modified on 2026-05-13.