CVE-2021-33037

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.66 Apache Tomcat versions 9.0.0.M1 through 9.0.46 Apache Tomcat versions 10.0.0-M1 through 10.0.6

Description The issue is related to the incorrect parsing of the HTTP transfer-encoding request header in certain circumstances, leading to the possibility of request smuggling when used with a reverse proxy. Specifically, Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response, Tomcat honored the identify encoding, and Tomcat did not ensure that, if present, the chunked encoding was the final encoding. This can allow a remote attacker to send a hidden HTTP request.

Recommendations For Apache Tomcat versions 8.5.0 through 8.5.66, update to a version that correctly parses the HTTP transfer-encoding request header. For Apache Tomcat versions 9.0.0.M1 through 9.0.46, update to a version that correctly parses the HTTP transfer-encoding request header. For Apache Tomcat versions 10.0.0-M1 through 10.0.6, update to a version that correctly parses the HTTP transfer-encoding request header. As a temporary workaround, consider restricting access to the vulnerable module to minimize the risk of exploitation.