CVE-2021-33037

12.07.2021, 15:15

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

HTTP Request/Response Smuggling

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
apache	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 84%

Vendor	Product	Version
apache	tomcat	8.5.0 ≤ 𝑥 ≤ 8.5.66
apache	tomcat	9.0.0 < 𝑥 ≤ 9.0.46
apache	tomcat	10.0.0 < 𝑥 ≤ 10.0.6
apache	tomee	8.0.6
debian	debian_linux	9.0
debian	debian_linux	10.0
oracle	agile_plm	9.3.6
oracle	communications_cloud_native_core_policy	1.14.0
oracle	communications_cloud_native_core_service_communication_proxy	1.14.0
oracle	communications_diameter_signaling_router	8.0.0.0 ≤ 𝑥 ≤ 8.5.0.2
oracle	communications_instant_messaging_server	10.0.1.5.0
oracle	communications_policy_management	12.5.0
oracle	communications_pricing_design_center	12.0.0.3.0
oracle	communications_session_report_manager	8.0.0 ≤ 𝑥 ≤ 8.2.4.0
oracle	communications_session_route_manager	8.0.0 ≤ 𝑥 ≤ 8.2.4
oracle	graph_server_and_client	𝑥 < 21.4
oracle	healthcare_translational_research	4.1.0
oracle	hospitality_cruise_shipboard_property_management_system	20.1.0
oracle	instantis_enterprisetrack	17.1
oracle	instantis_enterprisetrack	17.2
oracle	instantis_enterprisetrack	17.3
oracle	managed_file_transfer	12.2.1.3.0
oracle	managed_file_transfer	12.2.1.4.0
oracle	mysql_enterprise_monitor	𝑥 ≤ 8.0.25
oracle	sd-wan_edge	9.0
oracle	sd-wan_edge	9.1
oracle	secure_global_desktop	5.6
oracle	utilities_testing_accelerator	6.0.0.1.1
oracle	utilities_testing_accelerator	6.0.0.2.2
oracle	utilities_testing_accelerator	6.0.0.3.1
mcafee	epolicy_orchestrator	𝑥 < 5.10.0
mcafee	epolicy_orchestrator	5.10.0
mcafee	epolicy_orchestrator	5.10.0:update_1
mcafee	epolicy_orchestrator	5.10.0:update_10
mcafee	epolicy_orchestrator	5.10.0:update_2
mcafee	epolicy_orchestrator	5.10.0:update_3
mcafee	epolicy_orchestrator	5.10.0:update_4
mcafee	epolicy_orchestrator	5.10.0:update_5
mcafee	epolicy_orchestrator	5.10.0:update_6
mcafee	epolicy_orchestrator	5.10.0:update_7
mcafee	epolicy_orchestrator	5.10.0:update_8
mcafee	epolicy_orchestrator	5.10.0:update_9

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat9

bullseye (security)	9.0.43-2~deb11u10 fixed
bullseye	9.0.43-2~deb11u10 fixed
bookworm	9.0.70-2 fixed
sid	9.0.95-1 fixed
trixie	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat6

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	dne
focal	dne
bionic	dne
xenial	needs-triage
trusty	needs-triage

tomcat7

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

tomcat8

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage
trusty	dne

tomcat9

noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
impish	ignored
hirsute	ignored
groovy	ignored
focal	Fixed 9.0.31-1ubuntu0.2 released
bionic	Fixed 9.0.16-3ubuntu0.18.04.2 released
xenial	dne
trusty	dne