CVE-2021-33037

Name: CVE-2021-33037
Creator: NVD / NIST
Published: 2021-07-12T15:15:08.4+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 75.35%

Last modified Jun 17, 2026

CVE-2021-33037 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.. EPSS estimates a 75.35% chance of exploitation in the next 30 days.

Description

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

75.35%

99.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Tomcat	>= 8.5.0, <= 8.5.66
Apache	Tomcat	> 9.0.0, <= 9.0.46
Apache	Tomcat	> 10.0.0, <= 10.0.6
Apache	Tomee	8.0.6
Debian	Debian Linux	9.0
Debian	Debian Linux	10.0
Oracle	Agile Plm	9.3.6
Oracle	Communications Cloud Native Core Policy	1.14.0
Oracle	Communications Cloud Native Core Service Communication Proxy	1.14.0
Oracle	Communications Diameter Signaling Router	>= 8.0.0.0, <= 8.5.0.2
Oracle	Communications Instant Messaging Server	10.0.1.5.0
Oracle	Communications Policy Management	12.5.0
Oracle	Communications Pricing Design Center	12.0.0.3.0
Oracle	Communications Session Report Manager	>= 8.0.0, <= 8.2.4.0
Oracle	Communications Session Route Manager	>= 8.0.0, <= 8.2.4
Oracle	Graph Server And Client	< 21.4
Oracle	Healthcare Translational Research	4.1.0
Oracle	Hospitality Cruise Shipboard Property Management System	20.1.0
Oracle	Instantis Enterprisetrack	17.1
Oracle	Instantis Enterprisetrack	17.2
Oracle	Instantis Enterprisetrack	17.3
Oracle	Managed File Transfer	12.2.1.3.0
Oracle	Managed File Transfer	12.2.1.4.0
Oracle	Mysql Enterprise Monitor	<= 8.0.25
Oracle	Sd-Wan Edge	9.0
Oracle	Sd-Wan Edge	9.1
Oracle	Secure Global Desktop	5.6
Oracle	Utilities Testing Accelerator	6.0.0.1.1
Oracle	Utilities Testing Accelerator	6.0.0.2.2
Oracle	Utilities Testing Accelerator	6.0.0.3.1
Mcafee	Epolicy Orchestrator	< 5.10.0
Mcafee	Epolicy Orchestrator	5.10.0

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10366Third Party Advisory
https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3EMailing List, Vendor Advisory
https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/202208-34Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/Third Party Advisory
https://www.debian.org/security/2021/dsa-4952Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10366Third Party Advisory
https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3EMailing List, Vendor Advisory
https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/202208-34Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/Third Party Advisory
https://www.debian.org/security/2021/dsa-4952Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory

Timeline

Published: Jul 12, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-33037?

How severe is CVE-2021-33037?

CVE-2021-33037 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 75.35% probability of exploitation in the next 30 days.

How do I fix CVE-2021-33037?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-33037?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST