On September 19, 2017 (US time), the Apache Software Foundation released information on vulnerabilities (CVE-2017-12615 and CVE-2017-12616) in
Apache Tomcat. In the vulnerability CVE-2017-12615, when running on Windows with HTTP PUTs enabled (e.g. via setting the readonly
initialisation parameter of the Default to false), arbitrary code may be executed remotely on the server that runs Apache Tomcat by using a
specially crafted request. In the vulnerability CVE-2017-12616, when using VirtualDirContext, it was possible to bypass security constraints
and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
To read the original article :https://www.jpcert.or.jp/english/at/2017/at170038.html