Home

CVE-2021-33037

Description

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
Exploitation Probability
1.865

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-33037 are fixed in 15 June 2021 Fixed in Apache Tomcat 10.0.7Windows
Vulnerabilities CVE-2021-33037 are fixed in 15 June 2021 Fixed in Apache Tomcat 9.0.48Windows
Vulnerabilities CVE-2021-33037 are fixed in 15 June 2021 Fixed in Apache Tomcat 8.5.68Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.3.0Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.4.0Windows
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.15Windows
Vulnerabilities CVE-2021-33037 are fixed in Apache - tomcat 10.0.7Windows
Vulnerabilities CVE-2021-33037 are fixed in Apache - tomcat 9.0.48Windows
Vulnerabilities CVE-2021-33037 are fixed in Apache - tomcat 8.5.68Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.3Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.4Windows
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.11Windows
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 11.1Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.9Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.5.4Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.1.1Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.5.3Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.0.0Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.1.0Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.1.2Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.8Windows
tomcat9 security update(DSA-4952-1) tomcat9_9.0.31-1~deb10u5_all.debLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) javapackages-tools-2.0.1-13.1.x86_64.rpmLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-9.0.36-3.71.1.noarch.rpmLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-admin-webapps-9.0.36-3.71.1.noarch.rpmLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-docs-webapp-9.0.36-3.71.1.noarch.rpmLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-el-3_0-api-9.0.36-3.71.1.noarch.rpmLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-javadoc-9.0.36-3.71.1.noarch.rpmLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-jsp-2_3-api-9.0.36-3.71.1.noarch.rpmLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-lib-9.0.36-3.71.1.noarch.rpmLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-servlet-4_0-api-9.0.36-3.71.1.noarch.rpmLinux
SUSE-SU-2021:3602-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-webapps-9.0.36-3.71.1.noarch.rpmLinux
Apache Tomcat 9 - Servlet and JSP engine (USN-5360-1) tomcat9_9.0.31-1ubuntu0.2_all.debLinux
Apache Tomcat 9 - Servlet and JSP engine (USN-5360-1) tomcat9_9.0.16-3ubuntu0.18.04.2_all.debLinux
Apache Tomcat 9 - Servlet and JSP engine (USN-5360-1) tomcat9-common_9.0.31-1ubuntu0.2_all.debLinux
Apache Tomcat 9 - Servlet and JSP engine (USN-5360-1) tomcat9-common_9.0.16-3ubuntu0.18.04.2_all.debLinux
Apache Tomcat 9 - Servlet and JSP engine (USN-5360-1) libtomcat9-java_9.0.31-1ubuntu0.2_all.debLinux
Apache Tomcat 9 - Servlet and JSP engine (USN-5360-1) libtomcat9-java_9.0.16-3ubuntu0.18.04.2_all.debLinux
Apache Tomcat 9 - Servlet and JSP engine (USN-5360-1) libtomcat9-embed-java_9.0.31-1ubuntu0.2_all.debLinux
Apache Tomcat 9 - Servlet and JSP engine (USN-5360-1) libtomcat9-embed-java_9.0.16-3ubuntu0.18.04.2_all.debLinux
Vulnerabilities CVE-2021-33037 are fixed in 15 June 2021 Fixed in Apache Tomcat 10.0.7 (For Linux)Linux
Vulnerabilities CVE-2021-33037 are fixed in 15 June 2021 Fixed in Apache Tomcat 9.0.48 (For Linux)Linux
Vulnerabilities CVE-2021-33037 are fixed in 15 June 2021 Fixed in Apache Tomcat 8.5.68 (For Linux)Linux
tomcat9 Security Update (ALAS2023-2023-059) tomcat9-9.0.64-1.amzn2023.0.2.noarch.rpmLinux
tomcat9 Security Update (ALAS2023-2023-059) tomcat9-admin-webapps-9.0.64-1.amzn2023.0.2.noarch.rpmLinux
tomcat9 Security Update (ALAS2023-2023-059) tomcat9-docs-webapp-9.0.64-1.amzn2023.0.2.noarch.rpmLinux
tomcat9 Security Update (ALAS2023-2023-059) tomcat9-el-3.0-api-9.0.64-1.amzn2023.0.2.noarch.rpmLinux
tomcat9 Security Update (ALAS2023-2023-059) tomcat9-jsp-2.3-api-9.0.64-1.amzn2023.0.2.noarch.rpmLinux
tomcat9 Security Update (ALAS2023-2023-059) tomcat9-lib-9.0.64-1.amzn2023.0.2.noarch.rpmLinux
tomcat9 Security Update (ALAS2023-2023-059) tomcat9-servlet-4.0-api-9.0.64-1.amzn2023.0.2.noarch.rpmLinux
tomcat9 Security Update (ALAS2023-2023-059) tomcat9-webapps-9.0.64-1.amzn2023.0.2.noarch.rpmLinux
Vulnerabilities CVE-2021-33037 are fixed in Apache - tomcat for Linux 10.0.7Linux
Vulnerabilities CVE-2021-33037 are fixed in Apache - tomcat for Linux 9.0.48Linux
Vulnerabilities CVE-2021-33037 are fixed in Apache - tomcat for Linux 8.5.68Linux
Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) Vulnerability (CVE-2021-33037)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234