5.3
CVE-2021-33037
- EPSS 3.1%
- Published 12.07.2021 15:15:08
- Last modified 21.11.2024 06:08:10
- Source security@apache.org
- Teams watchlist Login
- Open Login
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Data is provided by the National Vulnerability Database (NVD)
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Oracle ≫ Communications Cloud Native Core Policy Version1.14.0
Oracle ≫ Communications Cloud Native Core Service Communication Proxy Version1.14.0
Oracle ≫ Communications Diameter Signaling Router Version >= 8.0.0.0 <= 8.5.0.2
Oracle ≫ Communications Instant Messaging Server Version10.0.1.5.0
Oracle ≫ Communications Policy Management Version12.5.0
Oracle ≫ Communications Pricing Design Center Version12.0.0.3.0
Oracle ≫ Communications Session Report Manager Version >= 8.0.0 <= 8.2.4.0
Oracle ≫ Communications Session Route Manager Version >= 8.0.0 <= 8.2.4
Oracle ≫ Graph Server And Client Version < 21.4
Oracle ≫ Healthcare Translational Research Version4.1.0
Oracle ≫ Hospitality Cruise Shipboard Property Management System Version20.1.0
Oracle ≫ Instantis Enterprisetrack Version17.1
Oracle ≫ Instantis Enterprisetrack Version17.2
Oracle ≫ Instantis Enterprisetrack Version17.3
Oracle ≫ Managed File Transfer Version12.2.1.3.0
Oracle ≫ Managed File Transfer Version12.2.1.4.0
Oracle ≫ Mysql Enterprise Monitor Version <= 8.0.25
Oracle ≫ Sd-wan Edge Version9.0
Oracle ≫ Sd-wan Edge Version9.1
Oracle ≫ Secure Global Desktop Version5.6
Oracle ≫ Utilities Testing Accelerator Version6.0.0.1.1
Oracle ≫ Utilities Testing Accelerator Version6.0.0.2.2
Oracle ≫ Utilities Testing Accelerator Version6.0.0.3.1
Mcafee ≫ Epolicy Orchestrator Version < 5.10.0
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Update-
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_1
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_10
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_2
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_3
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_4
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_5
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_6
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_7
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_8
Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.1% | 0.863 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.