| Name | CVE-2021-33037 |
| Description | Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2733-1, DSA-4952-1, ELA-475-1 |
| Debian Bugs | 991046 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| tomcat7 (PTS) | jessie, jessie (lts) | 7.0.56-3+really7.0.109-1+deb8u5 | fixed |
| stretch | 7.0.75-1 | vulnerable | |
| tomcat8 (PTS) | jessie, jessie (lts) | 8.0.14-1+deb8u27 | fixed |
| stretch (security) | 8.5.54-0+deb9u8 | fixed | |
| stretch (lts), stretch | 8.5.54-0+deb9u15 | fixed | |
| tomcat9 (PTS) | buster | 9.0.31-1~deb10u6 | fixed |
| buster (security) | 9.0.31-1~deb10u12 | fixed | |
| bullseye | 9.0.43-2~deb11u9 | fixed | |
| bullseye (security) | 9.0.43-2~deb11u10 | fixed | |
| sid, trixie, bookworm | 9.0.70-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| tomcat7 | source | jessie | (not affected) | |||
| tomcat7 | source | stretch | (unfixed) | end-of-life | ||
| tomcat7 | source | (unstable) | (unfixed) | |||
| tomcat8 | source | jessie | 8.0.14-1+deb8u22 | ELA-475-1 | ||
| tomcat8 | source | stretch | 8.5.54-0+deb9u7 | DLA-2733-1 | ||
| tomcat8 | source | (unstable) | (unfixed) | |||
| tomcat9 | source | buster | 9.0.31-1~deb10u5 | DSA-4952-1 | ||
| tomcat9 | source | bullseye | 9.0.43-2~deb11u1 | |||
| tomcat9 | source | (unstable) | 9.0.43-2 | 991046 |
https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e (9.0.47)
https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8 (9.0.47)
https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0 (9.0.47)
https://github.com/apache/tomcat/commit/3202703e6d635e39b74262e81f0cb4bcbe2170dc (8.5.67)
https://github.com/apache/tomcat/commit/da0e7cb093cf68b052d9175e469dbd0464441b0b (8.5.67)
https://github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02 (8.5.67)
[jessie] - tomcat7 <not-affected> (Vulnerable code not present; chunked encoding not supported)