CVE-2021-33037 [Medium] | Security Vulnerability in Tomcat

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-20	1.72%	1.86%	+0.14%
2	2026-05-14	1.86%	1.72%	-0.14%
3	2026-03-04	—	1.86%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-20

1.72%

1.86%

+0.14%

2026-05-14

1.86%

1.72%

-0.14%

2026-03-04

—

1.86%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.3	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	3.9	1.4	[email protected]
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:N/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	10.0	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.3

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

3.9

1.4

[email protected]

5.0

2.0

MEDIUM

AV:N/AC:L/Au:N/C:N/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

10.0

2.9

[email protected]

OS Trackers for CVE-2021-33037

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2021-33037 not yet assigned priority: Debian including 1 source packages (tomcat9), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2021-33037
`gentoo`	low	CVE-2021-33037: 1 GLSA(s) (202208-34), 1 atom(s) (www-servers/tomcat); latest impact low.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-33037
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2021-33037
`suse`	medium	CVE-2021-33037 severity moderate: SUSE including 377 source package names (5.0.0-beta1.2.122:tomcat-9.0.36-13.1, 5.0.0-beta1.2.122:tomcat-el-3_0-api-9.0.36-13.1, …), 644 product×package rows across 57 product lines (Container containers/apache-tomcat, Container suse/manager/5.0/x86_64/server, … (57 product lines)): Fixed 385, Known Affected 231, Will Not Fix 28.	https://www.suse.com/security/cve/CVE-2021-33037/
`ubuntu`	medium	CVE-2021-33037 medium priority: Ubuntu including 4 source packages (tomcat6, tomcat7, tomcat8, tomcat9), 64 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 40, ignored 9, needed 7, not-affected 4, released 4.	https://ubuntu.com/security/CVE-2021-33037

Affected software / configurations for CVE-2021-33037

Vendor	Product	Version	Raw CPE
apache	tomcat	>= 8.5.0, <= 8.5.66	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	> 9.0.0, <= 9.0.46	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	> 10.0.0, <= 10.0.6	cpe:2.3:a:apache:tomcat::::::::
apache	tomee	8.0.6	cpe:2.3:a:apache:tomee:8.0.6:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
oracle	agile_plm	9.3.6	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
oracle	communications_cloud_native_core_policy	1.14.0	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
oracle	communications_cloud_native_core_service_communication_proxy	1.14.0	cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
oracle	communications_diameter_signaling_router	>= 8.0.0.0, <= 8.5.0.2	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
oracle	communications_instant_messaging_server	10.0.1.5.0	cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:::::::*
oracle	communications_policy_management	12.5.0	cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*
oracle	communications_pricing_design_center	12.0.0.3.0	cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:::::::*
oracle	communications_session_report_manager	>= 8.0.0, <= 8.2.4.0	cpe:2.3:a:oracle:communications_session_report_manager::::::::
oracle	communications_session_route_manager	>= 8.0.0, <= 8.2.4	cpe:2.3:a:oracle:communications_session_route_manager::::::::
oracle	graph_server_and_client	< 21.4	cpe:2.3:a:oracle:graph_server_and_client::::::::
oracle	healthcare_translational_research	4.1.0	cpe:2.3:a:oracle:healthcare_translational_research:4.1.0:::::::*
oracle	hospitality_cruise_shipboard_property_management_system	20.1.0	cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:::::::*
oracle	instantis_enterprisetrack	17.1	cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:::::::*
oracle	instantis_enterprisetrack	17.2	cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:::::::*
oracle	instantis_enterprisetrack	17.3	cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:::::::*
oracle	managed_file_transfer	12.2.1.3.0	cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:::::::*
oracle	managed_file_transfer	12.2.1.4.0	cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*
oracle	mysql_enterprise_monitor	<= 8.0.25	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
oracle	sd-wan_edge	9.0	cpe:2.3:a:oracle:sd-wan_edge:9.0:::::::*
oracle	sd-wan_edge	9.1	cpe:2.3:a:oracle:sd-wan_edge:9.1:::::::*
oracle	secure_global_desktop	5.6	cpe:2.3:a:oracle:secure_global_desktop:5.6:::::::*
oracle	utilities_testing_accelerator	6.0.0.1.1	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:::::::*
oracle	utilities_testing_accelerator	6.0.0.2.2	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:::::::*
oracle	utilities_testing_accelerator	6.0.0.3.1	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:::::::*
mcafee	epolicy_orchestrator	< 5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator::::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8::::::
mcafee	epolicy_orchestrator	5.10.0	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9::::::

References for CVE-2021-33037

URL	Tags
https://kc.mcafee.com/corporate/index?page=content&id=SB10366	Third Party Advisory
https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202208-34	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/	Third Party Advisory
https://www.debian.org/security/2021/dsa-4952	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

URL

CVE-2021-33037 | Incorrect Transfer-Encoding handling with HTTP/1.0

Exploit prediction scoring system (EPSS) score for CVE-2021-33037

Common vulnerability scoring system (CVSS) metrics for CVE-2021-33037

Weakness enumeration for CVE-2021-33037

GitHub Security Advisory for CVE-2021-33037

OS Trackers for CVE-2021-33037

Affected software / configurations for CVE-2021-33037

References for CVE-2021-33037