Fixed in Apache Tomcat 9.0.48

Note: The issue below was fixed in Apache Tomcat 9.0.47 but the release vote for the 9.0.47 release candidate did not pass. Therefore, although users must download 9.0.48 to obtain a version that includes a fix for this issue, version 9.0.47 is not included in the list of affected versions.

Important: Request Smuggling CVE-2021-33037

Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility of request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

This was fixed with commits 45d70a86, 05f9e8b0 and a2c3dc4c.

This issue was reported to the Apache Tomcat Security team by Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of NEU seclab on 7 May 2021. The issue was made public on 12 July 2021.

Affects: 9.0.0.M1 to 9.0.46