What is CVE-2021-33037?

CVE-2021-33037 is a vulnerability in Apache Software Foundation Tomcat, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). Published 2021-07-12.

Is CVE-2021-33037 known to be exploited?

6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Tomcat

CVE-2021-33037

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse prox…

Vulnerability class: HTTP Request Smuggling

EPSS: 0.754 (99.5th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Tomcat — versions Apache Tomcat 10 10.0.0-M1 to 10.0.6, Apache Tomcat 9 9.0.0.M1 to 9.0.46, Apache Tomcat 8 8.5.0 to 8.5.66

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

Public proof-of-concept exploits

References

lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e… (x_refsource_MISC)
www.oracle.com//security-alerts/cpujul2021.html (x_refsource_MISC)
[tomee-commits] 20210728 [jira] [Created] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037 (mailing-list, x_refsource_MLIST)
[tomee-commits] 20210728 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037 (mailing-list, x_refsource_MLIST)
[debian-lts-announce] 20210805 [SECURITY] [DLA 2733-1] tomcat8 security update (mailing-list, x_refsource_MLIST)
DSA-4952 (vendor-advisory, x_refsource_DEBIAN)
[tomee-commits] 20210830 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037 (mailing-list, x_refsource_MLIST)
[tomee-commits] 20210913 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037 (mailing-list, x_refsource_MLIST)
[tomee-commits] 20210914 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037 (mailing-list, x_refsource_MLIST)
[tomee-commits] 20210916 [jira] [Resolved] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037 (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2021-33037?: CVE-2021-33037 is a vulnerability in Apache Software Foundation Tomcat, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). Published 2021-07-12.
Is CVE-2021-33037 known to be exploited?: 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.