PatchSiren cyber security CVE debrief

CVE-2017-3418 Oracle CVE debrief

CVE-2017-3418 is a high-severity Oracle CRM Technical Foundation issue in Oracle E-Business Suite 12.1.3. NVD describes it as an easily exploitable vulnerability reachable over HTTP by an unauthenticated attacker, with successful attacks requiring human interaction from another person. The impact can include unauthorized access to critical data and unauthorized update, insert, or delete access to some data accessible to the component. Oracle’s January 2017 Critical Patch Update is listed as the vendor reference for remediation.

Vendor: Oracle
Product: CVE-2017-3418
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, CRM Technical Foundation operators, application security teams, and defenders responsible for systems running version 12.1.3 should prioritize this CVE.

Technical summary

The NVD record maps CVE-2017-3418 to Oracle Customer Relationship Management Technical Foundation 12.1.3 and classifies it with CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. That means the attack is network-reachable, does not require privileges, but does require user interaction. The vulnerability is associated with confidentiality and integrity impact, and NVD lists the weakness as NVD-CWE-noinfo, so the specific root cause is not described in the public record.

Defensive priority

High. The combination of unauthenticated network access, required user interaction, and potential critical-data exposure makes this worth prompt patching and exposure review in any environment running the affected Oracle component.

Recommended defensive actions

Apply the Oracle January 2017 Critical Patch Update referenced in the vendor advisory for the affected product.
Confirm whether Oracle CRM Technical Foundation version 12.1.3 is installed anywhere in the environment.
Limit access to the affected application interface and reduce unnecessary network exposure while remediation is underway.
Review authentication, session, and application-change logs for unexpected user interactions or unauthorized data modifications.
Validate that related Oracle E-Business Suite components are also current, since the advisory notes that successful attacks may significantly impact additional products.

Evidence notes

CVE publication date: 2017-01-27T22:59:07.537Z. NVD later modified the record on 2026-05-13T00:24:29.033Z, but that does not change the original issue date. Source metadata ties the vulnerability to Oracle CRM Technical Foundation 12.1.3 and cites Oracle’s January 2017 CPU advisory as a patch/vendor reference. The CVSS vector and impact statements in this debrief come from the supplied NVD metadata.

Official resources

CVE-2017-3418 CVE record
CVE.org
CVE-2017-3418 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the CVE/NVD record on 2017-01-27; later NVD metadata updates on 2026-05-13 do not represent a new disclosure date.