PatchSiren cyber security CVE debrief
CVE-2017-3419 Oracle CVE debrief
CVE-2017-3419 is a high-severity vulnerability in Oracle E-Business Suite’s CRM Technical Foundation (User Interface subcomponent) affecting version 12.1.3. Oracle’s description says it is easily exploitable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction from someone other than the attacker. Impact can include unauthorized access to critical data, complete access to CRM Technical Foundation–accessible data, and unauthorized update, insert, or delete access to some of that data.
- Vendor
- Oracle
- Product
- CVE-2017-3419
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Organizations running Oracle E-Business Suite 12.1.3, especially teams responsible for CRM Technical Foundation, web-facing Oracle application environments, and data owners concerned with confidentiality and integrity of CRM records.
Technical summary
NVD lists the affected CPE as Oracle Customer Relationship Management Technical Foundation 12.1.3 and provides the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. That means the issue is network reachable, requires no privileges, and depends on user interaction, with high confidentiality impact and low integrity impact. Oracle’s advisory reference is the primary vendor source associated with the CVE.
Defensive priority
High. The vulnerability is network-exploitable, requires no authentication, and can expose or alter sensitive CRM data. Prioritize exposure review and remediation for any internet-reachable or broadly reachable Oracle E-Business Suite deployments.
Recommended defensive actions
- Identify any Oracle E-Business Suite instances running CRM Technical Foundation 12.1.3.
- Check whether the Oracle CPU January 2017 advisory applies to your deployment and whether the referenced fix is installed.
- Reduce exposure of Oracle application interfaces to trusted networks only, where possible.
- Review access logs for unusual HTTP traffic to Oracle CRM Technical Foundation endpoints.
- Validate that security controls address the user-interaction requirement; do not assume that requirement eliminates risk.
- Assess downstream systems and business processes that depend on CRM Technical Foundation data for potential confidentiality and integrity impact.
Evidence notes
The CVE record and NVD entry identify Oracle as the vendor and Oracle Customer Relationship Management Technical Foundation 12.1.3 as the vulnerable product/version. The NVD vector and Oracle description both indicate network access, no privileges, user interaction required, and significant data-confidentiality/integrity impact. Published date used here is the CVE publish timestamp 2017-01-27T22:59:07.570Z; the later 2026-05-13 modification timestamp is not treated as the issue date.
Official resources
-
CVE-2017-3419 CVE record
CVE.org
-
CVE-2017-3419 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
CVE published 2017-01-27T22:59:07.570Z. The record was later modified on 2026-05-13T00:24:29.033Z. No KEV listing is indicated in the supplied data.