CVE-2017-3495
Summary
| CVE | CVE-2017-3495 |
|---|---|
| State | PUBLISHED |
| Assigner | oracle |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-04-24 19:59:02 UTC |
| Updated | 2025-04-20 01:37:25 UTC |
| Description | Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracle Financial Services Applications (subcomponent: Pre-Login). Supported versions that are affected are 12.0.2 and 12.0.3. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Direct Banking. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle FLEXCUBE Direct Banking, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle FLEXCUBE Direct Banking accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N). |
Risk And Classification
Primary CVSS: v3.0 4.7 MEDIUM from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Problem Types: NVD-CWE-noinfo | Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Direct Banking. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle FLEXCUBE Direct Banking, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle FLEXCUBE Direct Banking accessible data.
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 4.7 | MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
| 2.0 | [email protected] | Primary | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
ChangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
NoneAvailability
NoneAV:N/AC:M/Au:N/C:P/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Oracle | Flexcube Direct Banking | 12.0.2 | All | All | All |
| Application | Oracle | Flexcube Direct Banking | 12.0.3 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Oracle Corporation | FLEXCUBE Direct Banking | affected 12.0.2 | Not specified |
| CNA | Oracle Corporation | FLEXCUBE Direct Banking | affected 12.0.3 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Oracle Critical Patch Update - April 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Vendor Advisory |
| Oracle Financial Services Applications Multiple Flaws Let Remote and Local Users Access Data, Remote Users Modify Data, and Remote Authenticated Users Deny Service - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Oracle FLEXCUBE Direct Banking CVE-2017-3495 Remote Security Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.