Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
https://kc.mcafee.com/corporate/index?page=content&id=SB10366 cve-icon cve-icon
https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-33037 cve-icon
https://security.gentoo.org/glsa/202208-34 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20210827-0007/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-33037 cve-icon
https://www.debian.org/security/2021/dsa-4952 cve-icon cve-icon
https://www.oracle.com//security-alerts/cpujul2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2021.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-03T23:42:19.203Z

Reserved: 2021-05-17T00:00:00

Link: CVE-2021-33037

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-07-12T15:15:08.400

Modified: 2024-11-21T06:08:10.320

Link: CVE-2021-33037

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-07-12T00:00:00Z

Links: CVE-2021-33037 - Bugzilla

cve-icon OpenCVE Enrichment

No data.