Vulnerability Description
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | >= 8.5.0, <= 8.5.66 |
| Apache | Tomee | 8.0.6 |
| Debian | Debian Linux | 9.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0.0, <= 8.5.0.2 |
| Oracle | Communications Instant Messaging Server | 10.0.1.5.0 |
| Oracle | Communications Policy Management | 12.5.0 |
| Oracle | Communications Pricing Design Center | 12.0.0.3.0 |
| Oracle | Communications Session Report Manager | >= 8.0.0, <= 8.2.4.0 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.4 |
| Oracle | Graph Server And Client | < 21.4 |
| Oracle | Healthcare Translational Research | 4.1.0 |
| Oracle | Hospitality Cruise Shipboard Property Management System | 20.1.0 |
| Oracle | Instantis Enterprisetrack | 17.1 |
| Oracle | Managed File Transfer | 12.2.1.3.0 |
| Oracle | Mysql Enterprise Monitor | <= 8.0.25 |
| Oracle | Sd-Wan Edge | 9.0 |
| Oracle | Secure Global Desktop | 5.6 |
Related Weaknesses (CWE)
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366Third Party Advisory
- https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5
- https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c
- https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bMailing ListVendor Advisory
- https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939
- https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1
- https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e
- https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c64
- https://lists.debian.org/debian-lts-announce/2021/08/msg00009.htmlMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202208-34Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210827-0007/Third Party Advisory
- https://www.debian.org/security/2021/dsa-4952Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2021-33037?
CVE-2021-33037 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request ...
How severe is CVE-2021-33037?
CVE-2021-33037 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-33037?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Apache Tomee, Debian Debian Linux, Oracle Agile Plm, Oracle Communications Cloud Native Core Policy.