CVE-2021-33037

MEDIUM

Apache Tomcat <10.0.7-8.5.67 - Info Disclosure

Title source: llm
STIX 2.1

Description

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

References (16)

Scores

CVSS v3 5.3
EPSS 0.0186
EPSS Percentile 83.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-444
Status published
Products (31)
apache/tomcat 8.5.0 - 8.5.66
apache/tomee 8.0.6
debian/debian_linux 9.0
debian/debian_linux 10.0
mcafee/epolicy_orchestrator 5.10.0 (11 CPE variants)
mcafee/epolicy_orchestrator < 5.10.0
oracle/agile_plm 9.3.6
oracle/communications_cloud_native_core_policy 1.14.0
oracle/communications_cloud_native_core_service_communication_proxy 1.14.0
oracle/communications_diameter_signaling_router 8.0.0.0 - 8.5.0.2
... and 21 more
Published Jul 12, 2021
Tracked Since Feb 18, 2026