We make a request to GET /QUALYSTESTRANDOM.1tmhl HTTP/1.0. This vulnerability is detected based on the installed version. Detecting vulnerability with Qualys WASĬustomers can detect this vulnerability with Qualys Web Application Scanning using QID 150367. Specifically – Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response Tomcat honored the identify encoding but did not ensure that, if present, the chunked encoding was the final encoding.
The potential for the vulnerability is a high possibility when the server is configured with a reverse proxy. Not parsing the request header based on the specification leads to the possibility to request smuggling. This vulnerability occurs because vulnerable versions of Apache tomcat do not correctly parse the HTTP transfer-encoding request header in some circumstances.
#TOMCAT SECURITY VULNERABILITIES SOFTWARE#
About CVE-2021-33037Īpache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.Īccording to CVE-2021-33037, Apache tomcat versions 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 are vulnerable to this vulnerability. Qualys highly recommends upgrading all affected instances of Tomcat. Once detected, the vulnerability can be remediated by upgrading to Apache Tomcat 10.0.7, 9.0.48, 8.5.68 versions or to the latest version of Apache Tomcat.
Qualys Web Application Scanning has added a new QID that detects this vulnerability by sending a request to the target server to determine if it is exploitable. HTTP Request Smuggling (HRS) is a web application vulnerability that enables an attacker to craft a single request that hides a second request within the body of the first request. A vulnerability (CVE-2021-33037) discovered this year in Apache Tomcat causes incorrect parsing of the HTTP transfer-encoding request header in some circumstances, leading to the possibility of HTTP Request Smuggling (HRS) when used with a reverse proxy.
0 kommentar(er)
