CVE-2021-33037

Published Jul 12, 2021

Last updated a year ago

CVSS medium 5.3

Overview

Description: Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Source: security@apache.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:N/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-444
security@apache.org: CWE-444

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A733D5AD-3CD1-4D8E-8114-00EE3C39AF59",
            "versionEndIncluding": "8.5.66",
            "versionStartIncluding": "8.5.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "201299B5-52B5-4845-A9E5-22A533A935A3",
            "versionEndIncluding": "9.0.46",
            "versionStartExcluding": "9.0.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C73FF8E1-9BE4-404F-B88C-AB7DBF25168E",
            "versionEndIncluding": "10.0.6",
            "versionStartExcluding": "10.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:tomee:8.0.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BD41F07F-EDA1-45B1-8BB4-2918918527D3"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4479F76A-4B67-41CC-98C7-C76B81050F8E"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0AB059F2-FEC4-4180-8A90-39965495055E"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "590ADE5F-0D0F-4576-8BA6-828758823442",
            "versionEndIncluding": "8.5.0.2",
            "versionStartIncluding": "8.0.0.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C4A94B36-479F-48F2-9B9E-ACEA2589EF48"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5312AC7A-3C16-4967-ACA6-317289A749D0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D7B49D71-6A31-497A-B6A9-06E84F086E7A"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9B7C949D-0AB3-4566-9096-014C82FC1CF1",
            "versionEndIncluding": "8.2.4.0",
            "versionStartIncluding": "8.0.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1FDBAD8E-C926-4D6F-9FD2-B0428980D6DF",
            "versionEndIncluding": "8.2.4",
            "versionStartIncluding": "8.0.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "29312DB7-AFD2-459E-A166-95437ABED12C",
            "versionEndExcluding": "21.4"
          },
          {
            "criteria": "cpe:2.3:a:oracle:healthcare_translational_research:4.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "523391D8-CB84-4EBD-B337-6A99F52E537F"
          },
          {
            "criteria": "cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "05F5B430-8BA1-4865-93B5-0DE89F424B53"
          },
          {
            "criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4"
          },
          {
            "criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4"
          },
          {
            "criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3"
          },
          {
            "criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9AB58D27-37F2-4A32-B786-3490024290A1"
          },
          {
            "criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "88627B99-16DC-4878-A63A-A40F6FC1F477",
            "versionEndIncluding": "8.0.25"
          },
          {
            "criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "77E39D5C-5EFA-4FEB-909E-0A92004F2563"
          },
          {
            "criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "06816711-7C49-47B9-A9D7-FB18CC3F42F2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:secure_global_desktop:5.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9DA11710-9EA8-49B4-8FD1-3AEE442F6ADC"
          },
          {
            "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A3ED272C-A545-4F8C-86C0-2736B3F2DCAF"
          },
          {
            "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C5B4C338-11E1-4235-9D5A-960B2711AC39"
          },
          {
            "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8C93F84E-9680-44EF-8656-D27440B51698"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A30F7908-5AF6-4761-BC6A-4C18EFAE48E5",
            "versionEndExcluding": "5.10.0"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0F30D3AF-4FA3-4B7A-BE04-C24E2EA19A95"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7B00DDE7-7002-45BE-8EDE-65D964922CB0"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DB88C165-BB24-49FB-AAF6-087A766D5AD1"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FF806B52-DAD5-4D12-8BB6-3CBF9DC6B8DF"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7DE847E0-431D-497D-9C57-C4E59749F6A0"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "46385384-5561-40AA-9FDE-A2DE4FDFAD3E"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B7CA7CA6-7CF2-48F6-81B5-69BA0A37EF4E"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9E4E5481-1070-4E1F-8679-1985DE4E785A"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D9EEA681-67FF-43B3-8610-0FA17FD279E5"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C33BA8EA-793D-4E79-BE9C-235ACE717216"
          },
          {
            "criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "823DBE80-CB8D-4981-AE7C-28F3FDD40451"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References