CVE-2017-3335 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability identified as CVE-2017-3335 resides within the Oracle Marketing component of Oracle E-Business Suite, specifically within the User Interface subcomponent. This weakness affects multiple version lines including 12.1.1 through 12.2.6, making it a widespread issue across the Oracle E-Business Suite ecosystem. The vulnerability's classification as easily exploitable indicates that attackers can leverage it with minimal technical sophistication, potentially compromising the entire Oracle Marketing module without requiring authentication credentials. The attack vector operates through HTTP network access, allowing remote exploitation from any location where the vulnerable service is accessible.
The technical flaw manifests as a security weakness that enables unauthorized access to sensitive data and system modifications within the Oracle Marketing environment. The vulnerability's impact extends beyond the immediate component, potentially affecting additional Oracle products within the suite, creating a cascading security risk. The CVSS v3.0 base score of 8.2 reflects the severity of the compromise, indicating both confidentiality and integrity impacts. This scoring system aligns with CWE-284 which addresses improper access control vulnerabilities, and the attack pattern corresponds to ATT&CK technique T1071.004 for application layer protocol: Hypertext Transfer Protocol. The vulnerability requires human interaction from users other than the attacker, suggesting a social engineering component where users might inadvertently trigger the exploitation through legitimate system interactions.
The operational impact of this vulnerability is substantial, as successful exploitation can lead to complete access to all Oracle Marketing accessible data, including sensitive customer information, marketing campaigns, and business intelligence. Additionally, attackers can perform unauthorized update, insert, or delete operations on the affected data, potentially corrupting critical business information or manipulating marketing strategies. This compromise directly affects the integrity of business processes and can result in significant financial and reputational damage. Organizations utilizing affected Oracle E-Business Suite versions face heightened risk of data breaches, competitive intelligence theft, and potential regulatory compliance violations. The vulnerability's ability to impact additional products within the Oracle ecosystem amplifies the potential damage, as attackers might leverage this weakness to move laterally across interconnected systems.
Mitigation strategies should prioritize immediate patching of all affected Oracle E-Business Suite versions through official Oracle security updates. Organizations should implement network segmentation to restrict access to Oracle Marketing components and establish robust monitoring for unusual HTTP traffic patterns. The principle of least privilege should be enforced, limiting user access to only necessary system functions. Network access controls and firewall rules should be configured to restrict external access to Oracle Marketing services. Regular security assessments and vulnerability scanning should be conducted to identify similar weaknesses in other Oracle components. System administrators should also implement comprehensive logging and audit trails to detect unauthorized access attempts and maintain detailed records of system modifications. The remediation process should follow Oracle's official security advisory procedures and consider implementing additional security controls such as intrusion detection systems and security information event management solutions to enhance overall defensive posture.