### [CVE-2021-33037](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Tomcat&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%2010%2010.0.0-M1%20to%2010.0.6%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%208%208.5.0%20to%208.5.66%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%209%209.0.0.M1%20to%209.0.46%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-444%20Inconsistent%20Interpretation%20of%20HTTP%20Requests%20('HTTP%20Request%20Smuggling')&color=brightgreen)

### Description

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

### POC

#### Reference
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html

#### Github
- https://github.com/20142995/nuclei-templates
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/Dzmitry-Basiachenka/dist-foreign-aliakh
- https://github.com/cyb3r-w0lf/nuclei-template-collection
- https://github.com/m3n0sd0n4ld/uCVE
- https://github.com/versio-io/product-lifecycle-security-api