CVE-2017-3348 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability identified as CVE-2017-3348 resides within the Oracle Marketing component of Oracle E-Business Suite, specifically within the User Interface subcomponent. This critical security flaw affects multiple versions of the Oracle E-Business Suite including 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6, representing a significant attack surface across the Oracle E-Business Suite ecosystem. The vulnerability operates at the application layer and presents an easily exploitable condition that allows unauthenticated attackers to compromise the Oracle Marketing functionality through HTTP network access. The CVSS v3.0 base score of 8.2 reflects the severity of this vulnerability, indicating high impact with both confidentiality and integrity implications.
The technical nature of this vulnerability stems from inadequate input validation and authentication mechanisms within the User Interface component of Oracle Marketing. Attackers can exploit this weakness by sending specifically crafted HTTP requests to the vulnerable Oracle E-Business Suite instance without requiring prior authentication credentials. The vulnerability's design allows for unauthorized access to critical data and complete access to all data accessible through Oracle Marketing. Additionally, successful exploitation enables attackers to perform unauthorized update, insert, or delete operations on data within the Oracle Marketing accessible data scope. This represents a fundamental breakdown in the principle of least privilege and demonstrates poor access control implementation within the application's user interface layer.
The operational impact of CVE-2017-3348 extends beyond the immediate Oracle Marketing component, as attacks may significantly affect additional products within the Oracle E-Business Suite environment. This cascading effect occurs because the vulnerable component shares resources and data access patterns with other modules within the suite. The vulnerability's requirement for human interaction from a person other than the attacker suggests that social engineering or targeted phishing attacks may be necessary to initiate exploitation, though the underlying technical flaw remains easily accessible once initial access is gained. This characteristic places organizations at risk of both automated exploitation and targeted attacks that leverage user trust and interaction patterns. The potential for unauthorized data access and modification creates significant risk for organizations that rely on Oracle Marketing for customer data management, campaign tracking, and marketing analytics.
Organizations affected by this vulnerability should implement immediate mitigations including applying the relevant Oracle Critical Patch Updates that address this specific flaw. Network segmentation and firewall rules should be configured to restrict access to Oracle E-Business Suite components, particularly those running the vulnerable Marketing User Interface. The implementation of web application firewalls and intrusion detection systems can help monitor and block suspicious HTTP traffic patterns associated with exploitation attempts. Regular security assessments and vulnerability scanning should be conducted to identify any additional weaknesses in the Oracle E-Business Suite environment. The vulnerability aligns with CWE-287 which addresses improper authentication issues, and represents a significant concern from an ATT&CK framework perspective under the T1190 technique for Exploit Public-Facing Application, emphasizing the need for proper access controls and network security measures to prevent unauthorized access to business-critical applications.