Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-3778

Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 8.0.6
    • 8.0.8
    • TomEE Build
    • None

    Description

      Description:

      Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

      Link: https://nvd.nist.gov/vuln/detail/CVE-2021-33037

       

      Attachments

        Activity

          People

            rzo1 Richard Zowalla
            sjafri Syed Jafri
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: