PatchSiren cyber security CVE debrief
CVE-2017-3427 Oracle CVE debrief
CVE-2017-3427 is a high-severity vulnerability in Oracle E-Business Suite’s One-to-One Fulfillment component. According to the CVE record, an unauthenticated attacker with network access over HTTP can exploit the issue, but successful attacks require human interaction. Oracle and NVD list affected supported versions from 12.1.1 through 12.2.6. The described impact includes unauthorized access to critical data and unauthorized modification of some accessible data.
- Vendor
- Oracle
- Product
- CVE-2017-3427
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Organizations running Oracle E-Business Suite instances that include the One-to-One Fulfillment component, especially supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Security teams should pay particular attention if the application is reachable over HTTP and used by business workflows involving user interaction.
Technical summary
NVD records this issue with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and a base score of 8.2. The vulnerability affects the Oracle One-to-One Fulfillment user interface subcomponent. The attack surface is network-based, requires no privileges, and depends on user interaction. The stated consequences are confidentiality and integrity impact, including potential unauthorized access to critical data and unauthorized update, insert, or delete access to some accessible data.
Defensive priority
High. Prioritize remediation for any exposed Oracle E-Business Suite One-to-One Fulfillment deployments, especially those handling sensitive business data or internet-reachable HTTP access.
Recommended defensive actions
- Identify all Oracle E-Business Suite environments using the One-to-One Fulfillment component and confirm whether they are on an affected version.
- Review and apply Oracle’s January 2017 CPU guidance for this issue using the vendor advisory reference.
- Reduce exposure of the affected application to unnecessary network access, especially HTTP access from untrusted networks.
- Audit for unexpected access or changes in One-to-One Fulfillment data, with attention to user-interaction-driven request flows.
- Validate that compensating controls and application monitoring are in place for sensitive data handled by the affected component.
Evidence notes
This debrief is based on the supplied NVD record and Oracle reference links. The CVE was published on 2017-01-27T22:59:07.837Z and later marked modified on 2026-05-13T00:24:29.033Z in the source metadata. Affected versions, attack conditions, CVSS vector, and impact statements are taken from the CVE description and NVD data. No unsupported exploit details are included.
Official resources
-
CVE-2017-3427 CVE record
CVE.org
-
CVE-2017-3427 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the CVE record on 2017-01-27; the source metadata shows a later modification on 2026-05-13. Oracle’s January 2017 security advisory is listed as a vendor reference.