CVE-2021-33037

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://kc.mcafee.com/corporate/index?page=content&id=SB10366	Third Party Advisory
https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202208-34	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/	Third Party Advisory
https://www.debian.org/security/2021/dsa-4952	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::

Configuration 2 (hide)

cpe:2.3:a:apache:tomee:8.0.6:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
	cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:::::::*
	cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*
	cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_session_report_manager::::::::
	cpe:2.3:a:oracle:communications_session_route_manager::::::::
	cpe:2.3:a:oracle:graph_server_and_client::::::::
	cpe:2.3:a:oracle:healthcare_translational_research:4.1.0:::::::*
	cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:::::::*
	cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:sd-wan_edge:9.0:::::::*
	cpe:2.3:a:oracle:sd-wan_edge:9.1:::::::*
	cpe:2.3:a:oracle:secure_global_desktop:5.6:::::::*
	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:::::::*
	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:::::::*
	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:mcafee:epolicy_orchestrator::::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9::::::

History

07 Nov 2023, 03:35

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E', 'name': '[tomee-commits] 20210728 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E', 'name': '[tomee-commits] 20210913 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E', 'name': '[tomee-commits] 20210728 [jira] [Created] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E', 'name': '[tomee-commits] 20210916 [jira] [Resolved] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E', 'name': '[tomee-commits] 20210914 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E', 'name': '[tomee-commits] 20210830 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}	() https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E - () https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E - () https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E - () https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E - () https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E - () https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E -

27 Oct 2022, 01:08

Type	Values Removed	Values Added
References	~~(GENTOO) https://security.gentoo.org/glsa/202208-34 -~~	(GENTOO) https://security.gentoo.org/glsa/202208-34 - Third Party Advisory

21 Aug 2022, 05:15

Type	Values Removed	Values Added
References		(GENTOO) https://security.gentoo.org/glsa/202208-34 -

12 May 2022, 14:07

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:healthcare_translational_research:4.1.0:::::::* cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:::::::* cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*
First Time		Oracle healthcare Translational Research Oracle managed File Transfer

20 Apr 2022, 00:16

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

01 Mar 2022, 18:07

Type	Values Removed	Values Added
First Time		Oracle sd-wan Edge Oracle utilities Testing Accelerator Oracle communications Instant Messaging Server Oracle communications Cloud Native Core Service Communication Proxy Oracle agile Plm Oracle hospitality Cruise Shipboard Property Management System Oracle graph Server And Client Oracle communications Cloud Native Core Policy
CPE		cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:::::::* cpe:2.3:a:oracle:graph_server_and_client:::::::: cpe:2.3:a:oracle:sd-wan_edge:9.1:::::::* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::* cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:::::::* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:::::::* cpe:2.3:a:oracle:sd-wan_edge:9.0:::::::* cpe:2.3:a:oracle:agile_plm:9.3.6:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::* cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:::::::*
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory

07 Feb 2022, 16:16

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

02 Dec 2021, 19:55

Type	Values Removed	Values Added
References	~~(CONFIRM) https://kc.mcafee.com/corporate/index?page=content&id=SB10366 -~~	(CONFIRM) https://kc.mcafee.com/corporate/index?page=content&id=SB10366 - Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:::::::* cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:::::: cpe:2.3:a:oracle:secure_global_desktop:5.6:::::::* cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:::::: cpe:2.3:a:oracle:mysql_enterprise_monitor:::::::: cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::* cpe:2.3:a:oracle:communications_session_route_manager:::::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:::::: cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:::::::* cpe:2.3:a:mcafee:epolicy_orchestrator:::::::: cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:::::::* cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:::::: cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:::::::* cpe:2.3:a:oracle:communications_session_report_manager:::::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1::::::

22 Oct 2021, 08:15

Type	Values Removed	Values Added
References		(CONFIRM) https://kc.mcafee.com/corporate/index?page=content&id=SB10366 -

20 Oct 2021, 11:16

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

21 Sep 2021, 16:33

Type	Values Removed	Values Added
CPE		cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:a:oracle:communications_diameter_signaling_router:::::::: cpe:2.3:a:apache:tomee:8.0.6:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::*
References	~~(MLIST) https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E - Mailing List, Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20210827-0007/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20210827-0007/ - Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html - Mailing List, Third Party Advisory
References	~~(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -~~	(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E - Mailing List, Third Party Advisory
References	~~(DEBIAN) https://www.debian.org/security/2021/dsa-4952 -~~	(DEBIAN) https://www.debian.org/security/2021/dsa-4952 - Third Party Advisory

16 Sep 2021, 09:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E -

14 Sep 2021, 10:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E -

13 Sep 2021, 13:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E -

30 Aug 2021, 11:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E -

27 Aug 2021, 07:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20210827-0007/ - (DEBIAN) https://www.debian.org/security/2021/dsa-4952 -

10 Aug 2021, 15:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html -

06 Aug 2021, 00:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E -

30 Jul 2021, 14:15

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

15 Jul 2021, 17:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 5.3
References	~~(MISC) https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E -~~	(MISC) https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E - Mailing List, Vendor Advisory
CPE		cpe:2.3:a:apache:tomcat::::::::
CWE		CWE-444

12 Jul 2021, 15:33

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-07-12 15:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-33037

Mitre link : CVE-2021-33037

CVE.ORG link : CVE-2021-33037

JSON object : View

Products Affected

oracle

graph_server_and_client
hospitality_cruise_shipboard_property_management_system
communications_instant_messaging_server
sd-wan_edge
communications_policy_management
utilities_testing_accelerator
communications_cloud_native_core_policy
communications_pricing_design_center
agile_plm
healthcare_translational_research
managed_file_transfer
secure_global_desktop
communications_diameter_signaling_router
communications_session_route_manager
instantis_enterprisetrack
communications_session_report_manager
mysql_enterprise_monitor
communications_cloud_native_core_service_communication_proxy

apache

tomcat
tomee

mcafee

epolicy_orchestrator

debian

debian_linux

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

5.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2021-33037

5.3^/10

5.0^/10

Attach tags to `CVE-2021-33037`