PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3433 Oracle CVE debrief

CVE-2017-3433 is a high-severity Oracle One-to-One Fulfillment vulnerability in Oracle E-Business Suite’s User Interface subcomponent. Oracle and NVD describe it as easily exploitable by an unauthenticated attacker with network access via HTTP, but successful attacks require human interaction from someone other than the attacker. Oracle’s affected versions in the supplied record are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The stated impact is exposure of critical data or full access to One-to-One Fulfillment-accessible data, along with unauthorized update, insert, or delete capabilities for some of that data. NVD records the issue as CVSS 3.0 8.2 with confidentiality and integrity impact.

Vendor
Oracle
Product
CVE-2017-3433
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application owners, vulnerability management teams, and security operations teams responsible for systems running Oracle One-to-One Fulfillment versions 12.1.1 through 12.2.6 should prioritize review. Because the issue is network reachable over HTTP and does not require attacker authentication, any exposed deployment deserves immediate attention.

Technical summary

NVD lists the CVSS v3.0 vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which reflects network-based delivery, low attack complexity, no privileges required, and a user-interaction requirement. The record does not provide a specific CWE beyond NVD-CWE-noinfo. The vulnerable CPEs in the supplied source cover Oracle One-to-One Fulfillment versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The vendor advisory referenced by NVD is Oracle CPU January 2017.

Defensive priority

High. The base score is 8.2, the issue is network reachable, and the impact includes unauthorized access to critical data and data modification. Even though user interaction is required and the source corpus does not mark it as KEV, affected environments should be reviewed promptly.

Recommended defensive actions

  • Confirm whether any Oracle E-Business Suite instances run One-to-One Fulfillment versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
  • Review Oracle’s January 2017 CPU advisory referenced by NVD and apply the vendor-recommended fix or mitigation.
  • Restrict HTTP access to Oracle application endpoints to trusted sources where possible.
  • Prioritize remediation for any externally reachable deployment or environment with broad user access.
  • Validate that affected systems are no longer running vulnerable versions after patching.

Evidence notes

The supplied NVD record states: “Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment” and notes that “Successful attacks require human interaction.” It also describes potential unauthorized access to critical data and unauthorized update/insert/delete access. NVD provides CVSS v3.0 8.2 and the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Oracle CPU January 2017 is the vendor advisory reference in the supplied source corpus.

Official resources

The supplied CVE record shows publication on 2017-01-27T22:59:08.007Z and a later record modification on 2026-05-13T00:24:29.033Z. The corpus does not indicate KEV inclusion or ransomware campaign use.