PatchSiren cyber security CVE debrief

CVE-2017-3429 Oracle CVE debrief

CVE-2017-3429 is a high-severity Oracle One-to-One Fulfillment vulnerability in Oracle E-Business Suite’s user interface. According to the NVD record, it is network-reachable over HTTP, does not require authentication, and can be triggered with human interaction. Oracle and NVD list affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The stated impact is unauthorized access to sensitive data and unauthorized modification of some accessible data.

Vendor: Oracle
Product: CVE-2017-3429
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, SOC analysts, and IT teams responsible for One-to-One Fulfillment deployments should prioritize this issue, especially where the application is reachable via HTTP.

Technical summary

NVD classifies this issue as CVSS v3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) with NVD-CWE-noinfo. The vulnerability affects Oracle One-to-One Fulfillment, subcomponent User Interface, in the listed 12.1.x and 12.2.x versions. The attack surface is network-based and unauthenticated, but successful exploitation requires human interaction from someone other than the attacker. The documented impact is primarily confidentiality and integrity loss.

Defensive priority

High. The combination of unauthenticated network reachability, HTTP exposure, and a CVSS 8.2 score makes this a priority patch item for any exposed or in-scope Oracle E-Business Suite deployment.

Recommended defensive actions

Verify whether any Oracle One-to-One Fulfillment instances are running affected versions 12.1.1-12.1.3 or 12.2.3-12.2.6.
Apply Oracle’s January 2017 Critical Patch Update, or a later cumulative update that supersedes it, using the vendor advisory referenced by NVD.
Reduce exposure by restricting HTTP access to trusted networks or VPN-only paths where possible.
Review business workflows and user training because exploitation requires human interaction.
Monitor application and access logs for abnormal UI activity or unexpected data access attempts.
Coordinate with Oracle support or your Oracle platform owner to confirm environment-specific remediation and patch compatibility.

Evidence notes

This debrief is based only on the supplied NVD record and its listed references. The core facts used here are the CVE publish date (2017-01-27), the NVD modification date (2026-05-13), the affected Oracle One-to-One Fulfillment versions, the CVSS vector, and the vendor/third-party references listed by NVD. The corpus does not provide a root-cause description, so no deeper technical mechanism is claimed.

Official resources

CVE-2017-3429 CVE record
CVE.org
CVE-2017-3429 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

CVE-2017-3429 was published on 2017-01-27, with the NVD record later modified on 2026-05-13. The NVD entry references Oracle’s January 2017 Critical Patch Update advisory.