CVE-2021-33037

EPSS 3.1%
Veröffentlicht 12.07.2021 15:15:08
Zuletzt bearbeitet 21.11.2024 06:08:10
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 19

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 8.5.0 <= 8.5.66

Apache ≫ Tomcat Version > 9.0.0 <= 9.0.46

Apache ≫ Tomcat Version > 10.0.0 <= 10.0.6

Apache ≫ Tomee Version8.0.6

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Oracle ≫ Agile Plm Version9.3.6

Oracle ≫ Communications Cloud Native Core Policy Version1.14.0

Oracle ≫ Communications Cloud Native Core Service Communication Proxy Version1.14.0

Oracle ≫ Communications Diameter Signaling Router Version >= 8.0.0.0 <= 8.5.0.2

Oracle ≫ Communications Instant Messaging Server Version10.0.1.5.0

Oracle ≫ Communications Policy Management Version12.5.0

Oracle ≫ Communications Pricing Design Center Version12.0.0.3.0

Oracle ≫ Communications Session Report Manager Version >= 8.0.0 <= 8.2.4.0

Oracle ≫ Communications Session Route Manager Version >= 8.0.0 <= 8.2.4

Oracle ≫ Graph Server And Client Version < 21.4

Oracle ≫ Healthcare Translational Research Version4.1.0

Oracle ≫ Hospitality Cruise Shipboard Property Management System Version20.1.0

Oracle ≫ Instantis Enterprisetrack Version17.1

Oracle ≫ Instantis Enterprisetrack Version17.2

Oracle ≫ Instantis Enterprisetrack Version17.3

Oracle ≫ Managed File Transfer Version12.2.1.3.0

Oracle ≫ Managed File Transfer Version12.2.1.4.0

Oracle ≫ Mysql Enterprise Monitor Version <= 8.0.25

Oracle ≫ Sd-wan Edge Version9.0

Oracle ≫ Sd-wan Edge Version9.1

Oracle ≫ Secure Global Desktop Version5.6

Oracle ≫ Utilities Testing Accelerator Version6.0.0.1.1

Oracle ≫ Utilities Testing Accelerator Version6.0.0.2.2

Oracle ≫ Utilities Testing Accelerator Version6.0.0.3.1

Mcafee ≫ Epolicy Orchestrator Version < 5.10.0

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Update-

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_1

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_10

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_2

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_3

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_4

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_5

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_6

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_7

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_8

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.1%	0.863

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory