CVE-2021-33037

Incorrect Transfer-Encoding handling with HTTP/1.0

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Apache Tomcat versiones 10.0.0-M1 hasta 10.0.6, versiones 9.0.0.M1 hasta 9.0.46 y versiones 8.5.0 hasta 8.5.66, no analizaban correctamente el encabezado de petición HTTP transfer-encoding en algunas circunstancias, conllevando a la posibilidad de contrabando de peticiones cuando se usaba con un proxy inverso. Específicamente: - Tomcat ignoraba incorrectamente el encabezado de codificación de transferencia si el cliente declaraba que sólo aceptaría una respuesta HTTP/1.0; - Tomcat honraba la codificación de identificación; y - Tomcat no se aseguraba de que, si estaba presente, la codificación en trozos fuera la codificación final

*Credits: The Apache Tomcat Security Team would like to thank Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of NEU seclab for identifying and reporting this issue.

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-17 CVE Reserved
2021-07-12 CVE Published
2024-08-03 CVE Updated
2024-09-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (18)

URL	Tag	Source
https://kc.mcafee.com/corporate/index?page=content&id=SB10366	Third Party Advisory
https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html	Mailing List
https://security.netapp.com/advisory/ntap-20210827-0007	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com//security-alerts/cpujul2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E	2023-11-07
https://security.gentoo.org/glsa/202208-34	2023-11-07
https://www.debian.org/security/2021/dsa-4952	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-33037	2022-07-07
https://bugzilla.redhat.com/show_bug.cgi?id=1981533	2022-07-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 8.5.0 <= 8.5.66 Search vendor "Apache" for product "Tomcat" and version " >= 8.5.0 <= 8.5.66"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				> 9.0.0 <= 9.0.46 Search vendor "Apache" for product "Tomcat" and version " > 9.0.0 <= 9.0.46"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				> 10.0.0 <= 10.0.6 Search vendor "Apache" for product "Tomcat" and version " > 10.0.0 <= 10.0.6"		-		Affected
Apache Search vendor "Apache"		Tomee Search vendor "Apache" for product "Tomee"				8.0.6 Search vendor "Apache" for product "Tomee" and version "8.0.6"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Oracle Search vendor "Oracle"		Agile Plm Search vendor "Oracle" for product "Agile Plm"				9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Service Communication Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" and version "1.14.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router"				>= 8.0.0.0 <= 8.5.0.2 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0.0 <= 8.5.0.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server"				10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Policy Management Search vendor "Oracle" for product "Communications Policy Management"				12.5.0 Search vendor "Oracle" for product "Communications Policy Management" and version "12.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center"				12.0.0.3.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				>= 8.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.0.0 <= 8.2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				>= 8.0.0 <= 8.2.4 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.0.0 <= 8.2.4"		-		Affected
Oracle Search vendor "Oracle"		Graph Server And Client Search vendor "Oracle" for product "Graph Server And Client"				< 21.4 Search vendor "Oracle" for product "Graph Server And Client" and version " < 21.4"		-		Affected
Oracle Search vendor "Oracle"		Healthcare Translational Research Search vendor "Oracle" for product "Healthcare Translational Research"				4.1.0 Search vendor "Oracle" for product "Healthcare Translational Research" and version "4.1.0"		-		Affected
Oracle Search vendor "Oracle"		Hospitality Cruise Shipboard Property Management System Search vendor "Oracle" for product "Hospitality Cruise Shipboard Property Management System"				20.1.0 Search vendor "Oracle" for product "Hospitality Cruise Shipboard Property Management System" and version "20.1.0"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.1 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.1"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.2 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.2"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.3 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.3"		-		Affected
Oracle Search vendor "Oracle"		Managed File Transfer Search vendor "Oracle" for product "Managed File Transfer"				12.2.1.3.0 Search vendor "Oracle" for product "Managed File Transfer" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Managed File Transfer Search vendor "Oracle" for product "Managed File Transfer"				12.2.1.4.0 Search vendor "Oracle" for product "Managed File Transfer" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor"				<= 8.0.25 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.25"		-		Affected
Oracle Search vendor "Oracle"		Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge"				9.0 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge"				9.1 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.1"		-		Affected
Oracle Search vendor "Oracle"		Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop"				5.6 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.6"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.1.1 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.1.1"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.2.2 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.2.2"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.3.1 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.3.1"		-		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				< 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version " < 5.10.0"		-		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		-		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_1		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_10		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_2		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_3		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_4		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_5		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_6		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_7		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_8		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_9		Affected