CVE-2021-33037: Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some…

medium5.3CVSS 3.1

AVNACLPRNUINSUCNILAN

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Affected

37 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	tomcat	<= 9.0.46	—
apache	tomcat	<= 10.0.6	—
apache	tomcat	—	—
apache	tomcat	8.5.0 – 8.5.66	—
apache	tomee	—	—
apache_software_foundation	apache_tomcat	—	—
apache_software_foundation	apache_tomcat	—	—
apache_software_foundation	apache_tomcat	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	tomcat9	< tomcat9 9.0.43-2 (bookworm)	tomcat9 9.0.43-2 (bookworm)
mcafee	epolicy_orchestrator	< 5.10.0	5.10.0
mcafee	epolicy_orchestrator	—	—
oracle	agile_plm	—	—
oracle	communications_cloud_native_core_policy	—	—
oracle	communications_cloud_native_core_service_communication_proxy	—	—
oracle	communications_diameter_signaling_router	8.0.0.0 – 8.5.0.2	—
oracle	communications_instant_messaging_server	—	—
oracle	communications_policy_management	—	—
oracle	communications_pricing_design_center	—	—
oracle	communications_session_report_manager	8.0.0 – 8.2.4.0	—
oracle	communications_session_route_manager	8.0.0 – 8.2.4	—
oracle	graph_server_and_client	< 21.4	21.4
oracle	healthcare_translational_research	—	—
oracle	hospitality_cruise_shipboard_property_management_system	—	—

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

osv5.3MEDIUM