Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-33037

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.3, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts limited integrity, for affected systems. Impacting 22 products from apache, from apache, from debian and 19 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2021, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2021-07-12T15:15:08.400

Last Modified

2024-11-21T06:08:10.320

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-444
Type: Primary
CWE-444

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	tomcat	≤ 8.5.66	Yes
Application	apache	tomcat	≤ 9.0.46	Yes
Application	apache	tomcat	≤ 10.0.6	Yes
Application	apache	tomee	8.0.6	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Application	oracle	agile_plm	9.3.6	Yes
Application	oracle	communications_cloud_native_core_policy	1.14.0	Yes
Application	oracle	communications_cloud_native_core_service_communication_proxy	1.14.0	Yes
Application	oracle	communications_diameter_signaling_router	≤ 8.5.0.2	Yes
Application	oracle	communications_instant_messaging_server	10.0.1.5.0	Yes
Application	oracle	communications_policy_management	12.5.0	Yes
Application	oracle	communications_pricing_design_center	12.0.0.3.0	Yes
Application	oracle	communications_session_report_manager	≤ 8.2.4.0	Yes
Application	oracle	communications_session_route_manager	≤ 8.2.4	Yes
Application	oracle	graph_server_and_client	< 21.4	Yes
Application	oracle	healthcare_translational_research	4.1.0	Yes
Application	oracle	hospitality_cruise_shipboard_property_management_system	20.1.0	Yes
Application	oracle	instantis_enterprisetrack	17.1	Yes
Application	oracle	instantis_enterprisetrack	17.2	Yes
Application	oracle	instantis_enterprisetrack	17.3	Yes
Application	oracle	managed_file_transfer	12.2.1.3.0	Yes
Application	oracle	managed_file_transfer	12.2.1.4.0	Yes
Application	oracle	mysql_enterprise_monitor	≤ 8.0.25	Yes
Application	oracle	sd-wan_edge	9.0	Yes
Application	oracle	sd-wan_edge	9.1	Yes
Application	oracle	secure_global_desktop	5.6	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.1.1	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.2.2	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.3.1	Yes
Application	mcafee	epolicy_orchestrator	< 5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes
Application	mcafee	epolicy_orchestrator	5.10.0	Yes

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10366 Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E ([email protected])
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html Mailing List, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202208-34 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20210827-0007/ Third Party Advisory ([email protected])
https://www.debian.org/security/2021/dsa-4952 Third Party Advisory ([email protected])
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory ([email protected])
https://kc.mcafee.com/corporate/index?page=content&id=SB10366 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202208-34 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20210827-0007/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-4952 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For apache's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.