CVE-2017-3435 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle One-to-One Fulfillment, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data as well as unauthorized update, insert or delete access to some of Oracle One-to-One Fulfillment accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3435 resides within the Oracle One-to-One Fulfillment component of Oracle E-Business Suite, specifically within the User Interface subcomponent. This flaw represents a significant security weakness that affects multiple versions of the Oracle E-Business Suite including 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The vulnerability's classification as easily exploitable indicates that attackers can leverage this weakness with minimal technical sophistication, making it particularly dangerous in production environments where such systems often handle sensitive business data.
The technical nature of this vulnerability allows unauthenticated attackers to compromise the Oracle One-to-One Fulfillment system through HTTP network connections without requiring prior authentication credentials. This means that malicious actors can potentially access the system simply by sending crafted HTTP requests to the affected Oracle E-Business Suite instances. The vulnerability's CVSS v3.0 base score of 8.2 reflects its substantial impact potential, specifically rating high for both confidentiality and integrity impacts. The attack vector requires network access via HTTP, which means that systems exposed to the internet or accessible networks are particularly at risk.
The operational impact of this vulnerability extends beyond just the immediate One-to-One Fulfillment component. Successful exploitation can lead to unauthorized access to critical data within the Oracle One-to-One Fulfillment system, potentially allowing attackers to view sensitive business information including customer data, order details, and fulfillment records. Additionally, the vulnerability enables unauthorized update, insert, or delete operations against the affected data, which could result in data corruption, manipulation, or complete data loss. The requirement for human interaction from someone other than the attacker suggests that social engineering or phishing techniques might be employed to facilitate exploitation, making this vulnerability particularly insidious in environments where users may be targeted for credential harvesting or system access manipulation.
Organizations affected by this vulnerability should consider implementing multiple layers of defense to protect their Oracle E-Business Suite installations. Network segmentation and access controls should be implemented to limit exposure of the affected components to untrusted networks. The use of web application firewalls and intrusion detection systems can help identify and block malicious HTTP traffic attempting to exploit this vulnerability. Regular security assessments and vulnerability scanning should be conducted to identify any potential exploitation attempts. According to CWE standards, this vulnerability aligns with CWE-287 which addresses authentication issues, and the ATT&CK framework would categorize this under Initial Access techniques involving network service exploitation. The vulnerability's impact on data confidentiality and integrity makes it particularly concerning for organizations handling sensitive business information, requiring immediate attention and remediation to prevent potential data breaches or financial losses.