CVE-2017-3355

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Marketing accessible data as well as unauthorized read access to a subset of Oracle Marketing accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N).

CVSS v3 7.1 HIGH
CVSS v2.0 6.8 MEDIUM

7.1^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html	Vendor Advisory
http://www.securityfocus.com/bid/98059	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oracle:marketing:12.1.1:::::::*
	cpe:2.3:a:oracle:marketing:12.1.2:::::::*
	cpe:2.3:a:oracle:marketing:12.1.3:::::::*
	cpe:2.3:a:oracle:marketing:12.2.3:::::::*
	cpe:2.3:a:oracle:marketing:12.2.4:::::::*
	cpe:2.3:a:oracle:marketing:12.2.5:::::::*
	cpe:2.3:a:oracle:marketing:12.2.6:::::::*

History

No history.

Information

Published : 2017-04-25 19:59

Updated : 2023-12-10 12:01

NVD link : CVE-2017-3355

Mitre link : CVE-2017-3355

CVE.ORG link : CVE-2017-3355

JSON object : View

Products Affected

oracle

marketing

CWE

NVD-CWE-noinfo

{"id": "CVE-2017-3355", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2017-04-25T19:59:00.317", "references": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html", "tags": ["Vendor Advisory"], "source": "secalert_us@oracle.com"}, {"url": "http://www.securityfocus.com/bid/98059", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert_us@oracle.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Marketing accessible data as well as unauthorized read access to a subset of Oracle Marketing accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el componente Oracle Marketing de Oracle E-Business Suite (subcomponente: interfaz de usuario). Las versiones afectadas son: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 y 12.2.6. La vulnerabilidad, f\u00e1cilmente explotable, permite a atacantes no autenticados que tengan acceso a la red a trav\u00e9s de tr\u00e1fico HTTP comprometer dicho componente. Para que el ataque tenga \u00e9xito es necesaria la interacci\u00f3n de otra persona adem\u00e1s del atacante. La explotaci\u00f3n del fallo puede derivar en la creaci\u00f3n, eliminaci\u00f3n o modificaci\u00f3n de informaci\u00f3n sensible o el acceso a toda la informaci\u00f3n de Oracle Marketing, as\u00ed como la lectura de cierta informaci\u00f3n a la que tiene acceso el propio componente. CVSS 3.0 Base Score 7.1 (impacto en la confidencialidad y en la integridad). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:marketing:12.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE5E189E-FB41-4332-A037-3DDA98746371"}, {"criteria": "cpe:2.3:a:oracle:marketing:12.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5EC9AAD6-30EF-4F5B-9923-2619E75C66B4"}, {"criteria": "cpe:2.3:a:oracle:marketing:12.1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EDB00EEA-140F-4652-AF01-5FE522E5D1BE"}, {"criteria": "cpe:2.3:a:oracle:marketing:12.2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6CEB6C88-B08C-44B2-8330-57B5BD931A56"}, {"criteria": "cpe:2.3:a:oracle:marketing:12.2.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8273378-896F-4EA3-884C-47B31422028C"}, {"criteria": "cpe:2.3:a:oracle:marketing:12.2.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "704D9437-039F-46F4-ACC4-C8C10C56E251"}, {"criteria": "cpe:2.3:a:oracle:marketing:12.2.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8C98EA8-6D5A-40DF-8232-818C8BB2FB9B"}], "operator": "OR"}]}], "sourceIdentifier": "secalert_us@oracle.com"}