PatchSiren cyber security CVE debrief

CVE-2017-3372 Oracle CVE debrief

CVE-2017-3372 is a high-severity vulnerability in Oracle Interaction Blending, a user-interface subcomponent of Oracle E-Business Suite. The supplied NVD record lists affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. It is network-reachable over HTTP, does not require authentication, but does require human interaction from someone other than the attacker. NVD rates the issue CVSS 3.0 8.2, with high confidentiality impact and low integrity impact. Successful exploitation can expose critical data and allow unauthorized data changes in the affected component, and the record notes that additional products may also be significantly impacted.

Vendor: Oracle
Product: CVE-2017-3372
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators and security teams running Oracle Interaction Blending 12.1.1 through 12.2.6, especially where the service is reachable over HTTP or exposed beyond tightly controlled internal networks.

Technical summary

NVD lists the vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. In practical terms, the attack is remote and unauthenticated, but it depends on a user action. The vulnerability is mapped only to the generic weakness label NVD-CWE-noinfo, so the supplied corpus does not identify a more specific CWE. The affected CPEs are Oracle Interaction Blending versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Defensive priority

High. The issue is unauthenticated, network-reachable, and scored 8.2, but it does require user interaction. Prioritize any internet-facing or broadly reachable deployment, then validate patch status and exposure controls.

Recommended defensive actions

Confirm whether Oracle Interaction Blending is deployed in any of the affected versions listed by NVD.
Review the Oracle CPU January 2017 advisory referenced in the NVD record and apply the vendor fix or supported mitigation for the affected version.
Restrict exposure of the affected application to trusted networks where feasible, especially HTTP access.
Reduce the chance of successful user interaction by tightening user-facing controls and security awareness around unexpected requests.
Verify logging and monitoring for suspicious access patterns or unexpected data changes in the component.

Evidence notes

All version, severity, vector, and impact statements are taken from the supplied NVD record and its referenced Oracle CPU January 2017 advisory entry. The record states the vulnerability is in Oracle Interaction Blending, affects versions 12.1.1 through 12.2.6 as listed, is accessible via HTTP, requires human interaction, and can affect confidentiality and integrity. The weakness field is NVD-CWE-noinfo, so no finer-grained CWE is provided in the corpus.

Official resources

CVE-2017-3372 CVE record
CVE.org
CVE-2017-3372 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

The CVE was published on 2017-01-27T22:59:06.070Z. The supplied NVD record was last modified on 2026-05-13T00:24:29.033Z; that later timestamp reflects record maintenance, not the original disclosure date.