← back
CVE-2021-33037

Incorrect Transfer-Encoding handling with HTTP/1.0

EPSS 75.4%CWE-444
In short

Apache Tomcat versions 8.5, 9.0, and 10.0 have a flaw where they don't properly handle the HTTP transfer-encoding header in certain cases, allowing an attacker to manipulate how requests are processed when Tomcat sits behind a reverse proxy. This can lead to request smuggling attacks where one request is interpreted differently by the proxy and Tomcat, bypassing security controls.

Technical detail

The vulnerability stems from improper Transfer-Encoding header parsing: Tomcat ignores transfer-encoding if a client requests HTTP/1.0 responses, incorrectly honors identity encoding, and fails to validate that chunked encoding is the final encoding in the chain. When deployed behind a reverse proxy, this discrepancy enables HTTP request smuggling (CWE-444), allowing attackers to inject requests that bypass WAF or authentication mechanisms.

Summary generated and translated by AI from the official description.
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Affected products
Apache Software Foundation · Apache Tomcat

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://kc.mcafee.com/corporate/index?page=content&id=SB10366https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/08/msg00009.htmlhttps://security.gentoo.org/glsa/202208-34https://security.netapp.com/advisory/ntap-20210827-0007/https://www.debian.org/security/2021/dsa-4952