5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.123 Low
EPSS
Percentile
95.5%
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66
did not correctly parse the HTTP transfer-encoding request header in some
circumstances leading to the possibility to request smuggling when used
with a reverse proxy. Specifically: - Tomcat incorrectly ignored the
transfer encoding header if the client declared it would only accept an
HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat
did not ensure that, if present, the chunked encoding was the final
encoding.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | tomcat6 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | tomcat6 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | tomcat7 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | tomcat7 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | tomcat7 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | tomcat8 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | tomcat8 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | tomcat9 | < 9.0.16-3ubuntu0.18.04.2 | UNKNOWN |
ubuntu | 20.04 | noarch | tomcat9 | < 9.0.31-1ubuntu0.2 | UNKNOWN |
ubuntu | 22.04 | noarch | tomcat9 | < any | UNKNOWN |
github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8 (9.0.47)
github.com/apache/tomcat/commit/3202703e6d635e39b74262e81f0cb4bcbe2170dc (8.5.67)
github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e (9.0.47)
github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02 (8.5.67)
github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0 (9.0.47)
github.com/apache/tomcat/commit/da0e7cb093cf68b052d9175e469dbd0464441b0b (8.5.67)
launchpad.net/bugs/cve/CVE-2021-33037
lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2021-33037
security-tracker.debian.org/tracker/CVE-2021-33037
ubuntu.com/security/notices/USN-5360-1
www.cve.org/CVERecord?id=CVE-2021-33037
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.123 Low
EPSS
Percentile
95.5%