CVE-2017-3359 in E-Business
Summary
by MITRE
Vulnerability in the Oracle Customer Intelligence component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2 and 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Intelligence. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Customer Intelligence, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Customer Intelligence accessible data as well as unauthorized update, insert or delete access to some of Oracle Customer Intelligence accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability described in CVE-2017-3359 represents a critical security flaw within Oracle Customer Intelligence component of the Oracle E-Business Suite ecosystem. This vulnerability specifically resides within the User Interface subcomponent of Oracle Customer Intelligence, making it accessible through standard HTTP network protocols without requiring authentication credentials. The affected versions 12.1.1, 12.1.2, and 12.1.3 all share this susceptibility, indicating a widespread issue across multiple releases of the Oracle E-Business Suite. The vulnerability's classification as easily exploitable means that malicious actors can leverage network-based attacks without requiring privileged access or specialized tools, significantly broadening the potential attack surface.
The technical nature of this vulnerability stems from inadequate input validation and access control mechanisms within the Oracle Customer Intelligence User Interface component. Attackers can exploit this weakness by crafting malicious HTTP requests that bypass normal authentication procedures, potentially gaining unauthorized access to sensitive customer intelligence data. The vulnerability's impact extends beyond just the immediate component, as successful exploitation can lead to unauthorized access to critical data repositories and enable complete access to all data accessible through Oracle Customer Intelligence. This encompasses not only read operations but also modification capabilities, allowing attackers to perform unauthorized update, insert, or delete operations on sensitive datasets.
From an operational standpoint, the vulnerability presents significant risks to organizations utilizing Oracle E-Business Suite, particularly those handling sensitive customer information and business intelligence data. The requirement for human interaction from users other than the attacker suggests that social engineering or targeted phishing attacks may be necessary to initiate the exploitation process, but once triggered, the impact can be devastating. The CVSS v3.0 base score of 8.2 reflects the high severity of this vulnerability, with impacts rated as high for both confidentiality and integrity. This scoring indicates that attackers can potentially access or modify critical business intelligence data, customer records, and other sensitive information that organizations rely upon for competitive advantage and regulatory compliance.
Organizations should implement immediate mitigation strategies including applying the relevant Oracle security patches and updates released to address this vulnerability. Network segmentation and access controls should be strengthened to limit exposure of the affected components, while monitoring systems should be enhanced to detect unusual HTTP traffic patterns that may indicate exploitation attempts. The vulnerability aligns with CWE-284 (Improper Access Control) and potentially CWE-352 (Cross-Site Request Forgery) depending on the specific exploitation vectors. From an ATT&CK framework perspective, this vulnerability maps to techniques involving initial access through network services and privilege escalation through data access and modification capabilities. Regular security assessments and vulnerability scanning should be conducted to identify similar weaknesses in other Oracle E-Business Suite components and ensure comprehensive protection against similar threats.