PatchSiren cyber security CVE debrief
CVE-2017-3413 Oracle CVE debrief
CVE-2017-3413 is a high-severity Oracle vulnerability in the Advanced Outbound Telephony component of Oracle E-Business Suite. Oracle and NVD describe it as remotely reachable over HTTP, requiring no authentication but needing human interaction, with successful exploitation potentially exposing sensitive data and allowing some data modification. Oracle listed affected releases including 12.1.1 through 12.1.3 and 12.2.3 through 12.2.6.
- Vendor
- Oracle
- Product
- CVE-2017-3413
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, security teams, and incident responders responsible for Advanced Outbound Telephony deployments should prioritize this issue, especially where the component is reachable from untrusted networks or used in business-critical call workflows.
Technical summary
The NVD record classifies this issue as CVSS 3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) and identifies the affected product as Oracle Advanced Outbound Telephony. The vulnerability is network exploitable via HTTP without authentication, but exploitation requires human interaction. NVD describes the impact as unauthorized access to critical data or complete access to Advanced Outbound Telephony-accessible data, plus unauthorized update, insert, or delete access to some of that data. NVD lists the weakness as NVD-CWE-noinfo, so the exact underlying flaw type is not specified in the supplied corpus.
Defensive priority
High. The combination of unauthenticated network exposure, sensitive-data impact, and Oracle's high CVSS score warrants prompt patching or compensating controls where patching is delayed.
Recommended defensive actions
- Apply Oracle's January 2017 Critical Patch Update guidance for the affected Advanced Outbound Telephony versions.
- Verify whether any Oracle E-Business Suite instances expose the relevant HTTP endpoint beyond trusted administrative networks.
- Restrict network access to the affected component using segmentation, firewall rules, or reverse-proxy controls while remediation is in progress.
- Review authentication and access controls around Advanced Outbound Telephony workflows that involve human interaction.
- Check for unusual access patterns or unexpected data changes affecting Advanced Outbound Telephony-accessible records.
- Confirm the installed Oracle E-Business Suite release against the affected versions listed by NVD: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
Evidence notes
All substantive claims are taken from the supplied NVD record and Oracle vendor reference. The NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The affected versions are explicitly listed in the NVD CPE criteria. The Oracle advisory reference is the January 2017 CPU page linked in the record. No exploit mechanism beyond the supplied description is assumed.
Official resources
-
CVE-2017-3413 CVE record
CVE.org
-
CVE-2017-3413 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly disclosed on 2017-01-27, matching the CVE published date in the supplied record. The supplied source record was later modified on 2026-05-13, but that does not change the original disclosure date.