HOMEVULNERABILITIESCVE-2021-33037
MEDIUM

CVE-2021-33037

CWE-444Published: July 12, 2021· Updated: Jun 17, 2026

5.3
CVSS v3.1

Official Description

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

NVD Source

Technical Analysis

CVE-2021-33037 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityLow
AvailabilityNone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Vendors & Products

Apache2 product(s)
tomcattomee
Debian1 product(s)
debian linux
mcafee1 product(s)
epolicy orchestrator
Oracle18 product(s)
agile plmcommunications cloud native core policycommunications cloud native core service communication proxycommunications diameter signaling routercommunications instant messaging servercommunications policy managementcommunications pricing design centercommunications session report managercommunications session route managergraph server and clienthealthcare translational researchhospitality cruise shipboard property management system+6
Source: NVD CPE · 30 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (32)

Quick Facts

CVE IDCVE-2021-33037
CVSS Score5.3 / 10
SeverityMEDIUM
WeaknessCWE-444
CISA KEVNo
Affected4 vendor(s)
PublishedJul 12, 2021

Related CVEs (CWE-444)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2021-33037 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.