A vulnerability was found in in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93. When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability).
This vulnerability is specific to the Windows platform's treatment of file names and how they must be quoted. Tomcat running on Linux hosts is not affected.
This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2019:1712 https://access.redhat.com/errata/RHSA-2019:1712
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):