You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Syed Jafri (Jira)" <ji...@apache.org> on 2021/07/28 07:46:00 UTC
[jira] [Created] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or
later to address CVE-2021-33037
Syed Jafri created TOMEE-3778:
---------------------------------
Summary: Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037
Key: TOMEE-3778
URL: https://issues.apache.org/jira/browse/TOMEE-3778
Project: TomEE
Issue Type: Bug
Components: TomEE Build
Affects Versions: 8.0.6
Reporter: Syed Jafri
*Description*:
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
*Link*: [https://nvd.nist.gov/vuln/detail/CVE-2021-33037]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)