{ "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-33037", "STATE": "PUBLIC", "TITLE": "Incorrect Transfer-Encoding handling with HTTP/1.0" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Tomcat", "version": { "version_data": [ { "version_affected": "=", "version_name": "Apache Tomcat 10", "version_value": "10.0.0-M1 to 10.0.6" }, { "version_affected": "=", "version_name": "Apache Tomcat 9", "version_value": "9.0.0.M1 to 9.0.46" }, { "version_affected": "=", "version_name": "Apache Tomcat 8", "version_value": "8.5.0 to 8.5.66" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "The Apache Tomcat Security Team would like to thank Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of NEU seclab for identifying and reporting this issue." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ {} ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')" } ] } ] }, "references": { "reference_data": [ { "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E", "name": "https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E" }, { "url": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "name": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "refsource": "MLIST", "name": "[tomee-commits] 20210728 [jira] [Created] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037", "url": "https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E" }, { "refsource": "MLIST", "name": "[tomee-commits] 20210728 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037", "url": "https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E" }, { "refsource": "MLIST", "name": "[debian-lts-announce] 20210805 [SECURITY] [DLA 2733-1] tomcat8 security update", "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html" }, { "refsource": "DEBIAN", "name": "DSA-4952", "url": "https://www.debian.org/security/2021/dsa-4952" }, { "refsource": "MLIST", "name": "[tomee-commits] 20210830 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037", "url": "https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E" }, { "refsource": "MLIST", "name": "[tomee-commits] 20210913 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037", "url": "https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E" }, { "refsource": "MLIST", "name": "[tomee-commits] 20210914 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037", "url": "https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E" }, { "refsource": "MLIST", "name": "[tomee-commits] 20210916 [jira] [Resolved] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037", "url": "https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E" }, { "url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "name": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20210827-0007/", "url": "https://security.netapp.com/advisory/ntap-20210827-0007/" }, { "refsource": "CONFIRM", "name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "name": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "refsource": "GENTOO", "name": "GLSA-202208-34", "url": "https://security.gentoo.org/glsa/202208-34" } ] }, "source": { "discovery": "UNKNOWN" } }