PatchSiren cyber security CVE debrief
CVE-2017-3431 Oracle CVE debrief
CVE-2017-3431 is a high-severity Oracle One-to-One Fulfillment vulnerability in Oracle E-Business Suite that can be reached over HTTP by an unauthenticated network attacker. Oracle and NVD list supported affected releases across 12.1.1 through 12.2.6, with successful attacks requiring user interaction and potentially exposing sensitive data or enabling data modification.
- Vendor
- Oracle
- Product
- CVE-2017-3431
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Organizations running Oracle E-Business Suite instances that include the One-to-One Fulfillment component, especially teams responsible for application security, patching, and external-facing enterprise web services.
Technical summary
NVD classifies the issue as CVSS 3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), indicating a network-reachable problem with no privileges required, but with user interaction needed. The vulnerability affects Oracle One-to-One Fulfillment user interface functionality and is associated with confidentiality and integrity impact, not availability impact. NVD also marks the weakness as NVD-CWE-noinfo, so the public record does not provide a more specific CWE category.
Defensive priority
High. The attack surface is network-accessible, requires no authentication, and affects enterprise software that may hold sensitive business data.
Recommended defensive actions
- Confirm whether Oracle One-to-One Fulfillment is deployed in any Oracle E-Business Suite environment.
- Verify exposure of the affected HTTP-accessible component and limit external access where possible.
- Apply Oracle's January 2017 CPU guidance for CVE-2017-3431 or the vendor-recommended remediation path referenced in the Oracle advisory.
- Check installed version numbers against the affected releases listed by NVD: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
- Review authentication, web access, and application logs for unusual requests or user-interaction patterns involving the One-to-One Fulfillment UI.
- If immediate patching is not possible, reduce exposure by segmenting the application and restricting who can reach the relevant HTTP endpoints.
Evidence notes
Primary evidence comes from the NVD record for CVE-2017-3431, which lists the affected Oracle One-to-One Fulfillment versions and the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The CVE was published on 2017-01-27T22:59:07.977Z and modified by NVD on 2026-05-13T00:24:29.033Z; use the published date for timing context. Oracle's January 2017 CPU advisory is referenced as the vendor patch/advisory source in the NVD record.
Official resources
-
CVE-2017-3431 CVE record
CVE.org
-
CVE-2017-3431 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the CVE record on 2017-01-27. NVD later modified the record on 2026-05-13. No KEV entry is supplied for this CVE in the provided corpus.