Vulnerability details (CVE-2020-9484) in Apache Tomcat, an open source implementation of Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. The problem allows you to achieve code execution on the server by sending a specially designed request. The vulnerability was fixed in Apache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 and 7.0.104 releases.
To successfully exploit the vulnerability, an attacker must be able to control the content and name of the file on the server (for example, if the application has the ability to upload documents or images). In addition, the attack is possible only on systems that use a PersistenceManager with FileStore storage, in whose settings the sessionAttributeValueClassNameFilter parameter is set to null (by default, if the SecurityManager is not used) or a weak filter is selected that allows object deserialization. The attacker also needs to know or guess the path to the file they control, relative to the location of the FileStore.
Source: opennet.ru