CVE-2021-33037: XSS
First published: Mon Jul 12 2021(Updated: )
Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding request header. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el7 | 0:9.0.50-3.redhat_00004.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el7 | 0:1.2.30-3.redhat_3.el7 |
| redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el7 | 0:1.1.8-4.Final_redhat_00004.1.el7 |
| redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el8 | 0:9.0.50-3.redhat_00004.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el8 | 0:1.2.30-3.redhat_3.el8 |
| redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el8 | 0:1.1.8-4.Final_redhat_00004.1.el8 |
| ubuntu/tomcat9 | <9.0.16-3ubuntu0.18.04.2 | 9.0.16-3ubuntu0.18.04.2 |
| ubuntu/tomcat9 | <9.0.31-1ubuntu0.2 | 9.0.31-1ubuntu0.2 |
| >=8.5.0<=8.5.66 | ||
| >9.0.0<=9.0.46 | ||
| >10.0.0<=10.0.6 | ||
| =8.0.6 | ||
| =9.0 | ||
| =10.0 | ||
| =9.3.6 | ||
| =1.14.0 | ||
| =1.14.0 | ||
| >=8.0.0.0<=8.5.0.2 | ||
| =10.0.1.5.0 | ||
| =12.5.0 | ||
| =12.0.0.3.0 | ||
| >=8.0.0<=8.2.4.0 | ||
| >=8.0.0<=8.2.4 | ||
| <21.4 | ||
| =4.1.0 | ||
| =20.1.0 | ||
| =17.1 | ||
| =17.2 | ||
| =17.3 | ||
| =12.2.1.3.0 | ||
| =12.2.1.4.0 | ||
| <=8.0.25 | ||
| =9.0 | ||
| =9.1 | ||
| =5.6 | ||
| =6.0.0.1.1 | ||
| =6.0.0.2.2 | ||
| =6.0.0.3.1 | ||
| <5.10.0 | ||
| =5.10.0 | ||
| =5.10.0-update_1 | ||
| =5.10.0-update_10 | ||
| =5.10.0-update_2 | ||
| =5.10.0-update_3 | ||
| =5.10.0-update_4 | ||
| =5.10.0-update_5 | ||
| =5.10.0-update_6 | ||
| =5.10.0-update_7 | ||
| =5.10.0-update_8 | ||
| =5.10.0-update_9 | ||
| Apache Tomcat | >=8.5.0<=8.5.66 | |
| Apache Tomcat | >9.0.0<=9.0.46 | |
| Apache Tomcat | >10.0.0<=10.0.6 | |
| Apache TomEE | =8.0.6 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Oracle Agile PLM | =9.3.6 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.5.0.2 | |
| Oracle Communications Instant Messaging Server | =10.0.1.5.0 | |
| Oracle Communications Policy Management | =12.5.0 | |
| Oracle Communications Pricing Design Center | =12.0.0.3.0 | |
| Oracle Communications Session Report Manager | >=8.0.0<=8.2.4.0 | |
| Oracle Communications Session Route Manager | >=8.0.0<=8.2.4 | |
| Oracle Graph Server And Client | <21.4 | |
| Oracle Healthcare Translational Research | =4.1.0 | |
| Oracle Hospitality Cruise Shipboard Property Management System | =20.1.0 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle Managed File Transfer | =12.2.1.3.0 | |
| Oracle Managed File Transfer | =12.2.1.4.0 | |
| Oracle Mysql Enterprise Monitor | <=8.0.25 | |
| Oracle SD-WAN Edge | =9.0 | |
| Oracle SD-WAN Edge | =9.1 | |
| Oracle Secure Global Desktop | =5.6 | |
| Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
| Oracle Utilities Testing Accelerator | =6.0.0.2.2 | |
| Oracle Utilities Testing Accelerator | =6.0.0.3.1 | |
| McAfee ePolicy Orchestrator | <5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_10 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_5 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_6 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_7 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_8 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_9 | |
| redhat/tomcat | <10.0.7 | 10.0.7 |
| redhat/tomcat | <9.0.48 | 9.0.48 |
| redhat/tomcat | <8.5.68 | 8.5.68 |
| IBM DRM | <=2.0.6 | |
| debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u11 9.0.43-2~deb11u6 9.0.43-2~deb11u9 9.0.70-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2021-33037
- https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e
- https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8
- https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0
- https://security-tracker.debian.org/tracker/CVE-2021-30640
- https://bz.apache.org/bugzilla/show_bug.cgi?id=65224
- https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb
- https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434
- https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e
- https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56
- https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862
- https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43
- https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0
- https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945
- https://security-tracker.debian.org/tracker/CVE-2021-30639
- https://bz.apache.org/bugzilla/show_bug.cgi?id=65203
- https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991046
- https://exchange.xforce.ibmcloud.com/vulnerabilities/205222
- https://www.ibm.com/support/pages/node/6497499 (Advisory)
- https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
- https://www.debian.org/security/2021/dsa-4952
- https://security.netapp.com/advisory/ntap-20210827-0007/
- https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.gentoo.org/glsa/202208-34
- https://launchpad.net/bugs/cve/CVE-2021-33037
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1981534
- https://access.redhat.com/errata/RHSA-2021:4863
- https://access.redhat.com/errata/RHSA-2021:4861
- https://access.redhat.com/security/cve/cve-2021-33037
- https://access.redhat.com/errata/RHSA-2022:1179
- https://access.redhat.com/errata/RHSA-2022:5532
- https://bugzilla.redhat.com/show_bug.cgi?id=1981533
- https://www.cve.org/CVERecord?id=CVE-2021-33037 https://nvd.nist.gov/vuln/detail/CVE-2021-33037
- https://github.com/apache/tomcat/commit/3202703e6d635e39b74262e81f0cb4bcbe2170dc
- https://github.com/apache/tomcat/commit/da0e7cb093cf68b052d9175e469dbd0464441b0b
- https://github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02
- https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e (9.0.47)
- https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8 (9.0.47)
- https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0 (9.0.47)
- https://github.com/apache/tomcat/commit/3202703e6d635e39b74262e81f0cb4bcbe2170dc (8.5.67)
- https://github.com/apache/tomcat/commit/da0e7cb093cf68b052d9175e469dbd0464441b0b (8.5.67)
- https://github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02 (8.5.67)
- https://ubuntu.com/security/notices/USN-5360-1
- https://nvd.nist.gov/vuln/detail/CVE-2021-33037
- https://ubuntu.com/security/CVE-2021-33037
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-33037?
The severity of CVE-2021-33037 is medium with a CVSS score of 4.3.
How does CVE-2021-33037 affect Apache Tomcat?
CVE-2021-33037 affects Apache Tomcat versions 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46, and 8.5.0 to 8.5.66.
What is the remedy for CVE-2021-33037?
The remedy for CVE-2021-33037 is to upgrade Apache Tomcat to version 10.0.7, 9.0.48, or 8.5.68.
Where can I find more information about CVE-2021-33037?
You can find more information about CVE-2021-33037 at the following references: [CVE-2021-33037 at CVE.org](https://www.cve.org/CVERecord?id=CVE-2021-33037) and [CVE-2021-33037 at NIST](https://nvd.nist.gov/vuln/detail/CVE-2021-33037).
What is the CWE for CVE-2021-33037?
The CWE for CVE-2021-33037 is CWE-444.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/debian-bugs
- alias/CVE-2021-33037
- collector/ibm-support
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- collector/redhat-cve
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- vendor/ibm
- canonical/ibm drm
- version/ibm drm/2.0.6
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/8.5.0
- version/apache tomcat/8.5.66
- version/apache tomcat/9.0.46
- version/apache tomcat/10.0.6
- canonical/apache tomee
- version/apache tomee/8.0.6
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/oracle
- canonical/oracle agile plm
- version/oracle agile plm/9.3.6
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.14.0
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0.0
- version/oracle communications diameter signaling router/8.5.0.2
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/10.0.1.5.0
- canonical/oracle communications policy management
- version/oracle communications policy management/12.5.0
- canonical/oracle communications pricing design center
- version/oracle communications pricing design center/12.0.0.3.0
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.0.0
- version/oracle communications session report manager/8.2.4.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.2.4
- canonical/oracle graph server and client
- canonical/oracle healthcare translational research
- version/oracle healthcare translational research/4.1.0
- canonical/oracle hospitality cruise shipboard property management system
- version/oracle hospitality cruise shipboard property management system/20.1.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle managed file transfer
- version/oracle managed file transfer/12.2.1.3.0
- version/oracle managed file transfer/12.2.1.4.0
- canonical/oracle mysql enterprise monitor
- version/oracle mysql enterprise monitor/8.0.25
- canonical/oracle sd-wan edge
- version/oracle sd-wan edge/9.0
- version/oracle sd-wan edge/9.1
- canonical/oracle secure global desktop
- version/oracle secure global desktop/5.6
- canonical/oracle utilities testing accelerator
- version/oracle utilities testing accelerator/6.0.0.1.1
- version/oracle utilities testing accelerator/6.0.0.2.2
- version/oracle utilities testing accelerator/6.0.0.3.1
- vendor/mcafee
- canonical/mcafee epolicy orchestrator
- version/mcafee epolicy orchestrator/5.10.0
- version/mcafee epolicy orchestrator/5.10.0-update_1
- version/mcafee epolicy orchestrator/5.10.0-update_10
- version/mcafee epolicy orchestrator/5.10.0-update_2
- version/mcafee epolicy orchestrator/5.10.0-update_3
- version/mcafee epolicy orchestrator/5.10.0-update_4
- version/mcafee epolicy orchestrator/5.10.0-update_5
- version/mcafee epolicy orchestrator/5.10.0-update_6
- version/mcafee epolicy orchestrator/5.10.0-update_7
- version/mcafee epolicy orchestrator/5.10.0-update_8
- version/mcafee epolicy orchestrator/5.10.0-update_9
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu