CVE-2021-33037: 
Java vulnerability analysis and mitigation

CVE-2021-33037 affects Apache Tomcat versions 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46, and 8.5.0 to 8.5.66. The vulnerability was discovered in July 2021 and involves incorrect parsing of HTTP transfer-encoding request headers, which could lead to request smuggling when used with a reverse proxy (NVD).

The vulnerability stems from three specific issues in Tomcat's handling of transfer encoding headers: 1) Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response, 2) Tomcat honored the identify encoding, and 3) Tomcat did not ensure that the chunked encoding was the final encoding. The vulnerability has a CVSS v3.1 base score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

If exploited, this vulnerability could enable request smuggling attacks when Tomcat is used with a reverse proxy. This could potentially lead to unauthorized modification of data or bypass of security controls (NVD).

Users should upgrade to Apache Tomcat versions 8.5.67, 9.0.47, or 10.0.7 or later which contain fixes for this vulnerability. Multiple vendors have released patches including Oracle, Debian, and NetApp (Oracle CPU, Debian Advisory).