Vulnerability Information Summary CVE-2021-33037 Apache Tomcat HTTP Request Smuggling Severity: Important Vendor: The Apache Software Foundation Affected Versions: - Apache Tomcat 10.0.0-M1 to 10.0.6 - Apache Tomcat 9.0.0.M1 to 9.0.46 - Apache Tomcat 8.5.0 to 8.5.66 Description: - Apache Tomcat fails to correctly parse the HTTP transfer-encoding header in certain scenarios, potentially leading to HTTP request smuggling when used with a reverse proxy. Specifically, if a client declares that it only accepts HTTP/1.0 responses, Tomcat incorrectly ignores the transfer-encoding header. While Tomcat respects identity encoding, it does not ensure that this is the final encoding. Mitigation: - Users of affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.7 or later - Upgrade to Apache Tomcat 9.0.48 or later - Upgrade to Apache Tomcat 8.5.68 or later - Note: This issue was fixed in versions 9.0.47 and 8.5.67, but the release votes for these versions were not passed. History: - 2021-07-12 Original announcement Reference Links: - [1] https://tomcat.apache.org/security-10.html - [2] https://tomcat.apache.org/security-9.html - [3] https://tomcat.apache.org/security-8.html