CVE-2017-3350 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability described in CVE-2017-3350 represents a critical security flaw within the Oracle E-Business Suite marketing component, specifically affecting the User Interface subcomponent. This vulnerability exists in multiple supported versions including 12.1.1 through 12.2.6, making it a widespread concern across various Oracle E-Business Suite deployments. The flaw manifests as an easily exploitable vulnerability that allows unauthenticated attackers to compromise the Oracle Marketing functionality through HTTP network access, presenting a significant risk to organizations utilizing these systems.
The technical nature of this vulnerability stems from insufficient authentication mechanisms within the User Interface component, enabling attackers to gain unauthorized access to sensitive marketing data without requiring valid credentials. The attack vector operates through standard HTTP protocols, making it accessible to attackers with basic network connectivity and no specialized tools. This vulnerability falls under the Common Weakness Enumeration category of insufficient authentication, specifically CWE-287 which addresses improper authentication mechanisms. The attack requires human interaction from users other than the attacker, indicating that the exploitation may involve social engineering or user-specific interactions that could be leveraged to extend the attack scope.
The operational impact of this vulnerability extends beyond the immediate Oracle Marketing component, potentially affecting additional products within the Oracle E-Business Suite ecosystem. Successful exploitation can result in unauthorized access to critical data, representing a severe confidentiality breach that could expose sensitive customer information, marketing strategies, and business intelligence. The vulnerability also allows for unauthorized update, insert, or delete operations on accessible data, creating integrity risks that could compromise data accuracy and business operations. The CVSS v3.0 base score of 8.2 indicates a high severity level, reflecting the combination of confidentiality and integrity impacts that could significantly affect business operations and regulatory compliance.
Organizations affected by this vulnerability should prioritize immediate remediation through Oracle's security patches and updates, as the vulnerability's ease of exploitation makes it particularly dangerous. The mitigation strategy should include network segmentation to limit access to Oracle Marketing components, implementation of additional authentication layers, and monitoring for suspicious access patterns. Security teams should also conduct comprehensive vulnerability assessments to identify other potential attack vectors within the Oracle E-Business Suite environment. This vulnerability aligns with ATT&CK techniques related to credential access and privilege escalation, emphasizing the need for layered security approaches that include both technical controls and administrative procedures. Regular security awareness training for users is essential to prevent social engineering aspects of exploitation, as the vulnerability specifically requires human interaction from legitimate users to achieve successful compromise.