CVE-2021-33037

CWE-444 — HTTP Request Smuggling16 documents11 sources

Severity

5.3MEDIUM

EPSS

1.9%

top 16.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcafee Epolicy Orchestrator Oracle Graph Server AND Client Apache Tomcat +20 more

Timeline

PublishedJul 12

Latest updateApr 15

Description

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the fina…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages25 packages

▶Mavenorg.apache.tomcat:tomcat10.0.0-M1 — 10.0.7+2

▶NVDapache/tomcat8.5.0 — 8.5.66+2

▶CVEListV5apache_software_foundation/apache_tomcatApache Tomcat 10 10.0.0-M1 to 10.0.6, Apache Tomcat 8 8.5.0 to 8.5.66, Apache Tomcat 9 9.0.0.M1 to 9.0.46+2

▶Debiantomcat9< 9.0.43-2~deb11u1+3

▶Ubuntutomcat9< 9.0.16-3ubuntu0.18.04.2+1

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

tomcat9 vulnerabilities↗2022-03-31

▶

GHSA

HTTP Request Smuggling in Apache Tomcat↗2021-08-13

▶

OSV

HTTP Request Smuggling in Apache Tomcat↗2021-08-13

▶

OSV

CVE-2021-33037: Apache Tomcat 10↗2021-07-12

▶

CVEList

Incorrect Transfer-Encoding handling with HTTP/1.0↗2021-07-12

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: MFT Runtime Server (Apache Tomcat) — CVE-2021-33037↗2022-04-15

▶

Ubuntu

Tomcat vulnerabilities↗2022-03-31

▶

Oracle

Oracle Oracle Graph Server and Client Risk Matrix: Packaging/Install (Apache Tomcat) — CVE-2021-33037↗2022-01-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Pricing (Apache Tomcat) — CVE-2021-33037↗2021-10-15

▶

Red Hat

tomcat: HTTP request smuggling when used with a reverse proxy↗2021-07-12

▶

🕵️Threat Intelligence

Qualys

Apache Tomcat HTTP Request Smuggling Vulnerability (CVE-2021-33037) | Qualys↗2021-10-27

▶

Qualys

Apache Tomcat HTTP Request Smuggling Vulnerability (CVE-2021-33037)↗2021-10-27

▶