CVE-2021-33037

CVSS V2 Medium 5 CVSS V3 Medium 5.3
Description
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Overview
  • CVE ID
  • CVE-2021-33037
  • Assigner
  • security@apache.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2021-07-12T15:15:08
  • Last Modified Date
  • 2022-10-27T01:08:55
Weakness Enumerations
CWE URL
CWE-444 http://cwe.mitre.org/data/definitions/444.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 1 OR 8.5.0 8.5.66
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 1 OR 9.0.46
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 1 OR 10.0.6
cpe:2.3:a:apache:tomee:8.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* 1 OR 8.0.0.0 8.5.0.2
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* 1 OR 8.0.0 8.2.4.0
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* 1 OR 8.0.0 8.2.4
cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:* 1 OR 21.4
cpe:2.3:a:oracle:healthcare_translational_research:4.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* 1 OR 8.0.25
cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:secure_global_desktop:5.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:* 1 OR 5.10.0
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:* 1 OR
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 5
  • Severity
  • MEDIUM
  • Exploitability Score
  • 10
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 5.3
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 3.9
  • Impact Score
  • 1.4
References
Reference URL Reference Tags
https://kc.mcafee.com/corporate/index?page=content&id=SB10366 Third Party Advisory
https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202208-34 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4952 Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch Third Party Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2021-33037
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037
History
Created Old Value New Value Data Type Notes
2022-04-20 16:59:09 Added to TrackCVE
2022-12-05 05:47:15 2021-07-12T15:15Z 2021-07-12T15:15:08 CVE Published Date updated
2022-12-05 05:47:15 2022-10-27T01:08:55 CVE Modified Date updated
2022-12-05 05:47:15 Analyzed Vulnerability Status updated
2022-12-05 05:47:20 References updated