You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Syed Jafri (Jira)" <ji...@apache.org> on 2021/07/28 07:46:00 UTC

[jira] [Created] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037

Syed Jafri created TOMEE-3778:
---------------------------------

             Summary: Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037
                 Key: TOMEE-3778
                 URL: https://issues.apache.org/jira/browse/TOMEE-3778
             Project: TomEE
          Issue Type: Bug
          Components: TomEE Build
    Affects Versions: 8.0.6
            Reporter: Syed Jafri


*Description*:

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

*Link*: [https://nvd.nist.gov/vuln/detail/CVE-2021-33037]

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)