VYPR
Medium severity5.3NVD Advisory· Published Jul 12, 2021· Updated Jun 17, 2026

CVE-2021-33037

CVE-2021-33037

Description

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 10.0.0-M1, < 10.0.710.0.7
org.apache.tomcat:tomcatMaven
>= 9.0.0-M1, < 9.0.489.0.48
org.apache.tomcat:tomcatMaven
>= 8.5.0, < 8.5.688.5.68

Affected products

33

Patches

Vulnerability mechanics

References

38

News mentions

0

No linked articles in our index yet.