Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2021-33037

Public on 2021-07-12
Modified on 2023-06-09
Description

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Severity
Medium
See what this means
CVSS v3 Base Score
4.3
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Tomcat8.5 Extra tomcat 2023-08-21 20:58 ALAS2TOMCAT8.5-2023-007
Amazon Linux 2 - Tomcat8.5 Extra tomcat 2024-02-01 20:10 ALAS2TOMCAT8.5-2024-017
Amazon Linux 2 - Tomcat9 Extra tomcat 2024-02-01 20:10 ALAS2TOMCAT9-2024-011
Amazon Linux 2 - Tomcat9 Extra tomcat 2023-08-21 20:58 ALAS2TOMCAT9-2023-007
Amazon Linux 1 tomcat8 2021-09-02 22:54 ALAS-2021-1535
Amazon Linux 2023 tomcat9 2023-02-17 20:45 ALAS2023-2023-059

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD CVSSv3 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N