Peewpw

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 7.0.0 through 7.0.81 Apache Tomcat versions 8.0.0.RC1 through 8.0.46 Apache Tomcat versions 8.5.0 through 8.5.22 Apache Tomcat versions 9.0.0.M1 through 9.0.0 **Description** The issue is related to the lack of restrictions on file uploads in Apache Tomcat, allowing a remote attacker to execute arbitrary code by uploading a specially crafted JSP file via HTTP PUT requests when the `readonly` initialisation parameter of the Default servlet is set to `false`. This enables the attacker to upload a JSP file to the server, which can then be requested, executing any code it contains. **Recommendations** For Apache Tomcat versions 7.0.0 through 7.0.81, update the configuration to restrict HTTP PUT requests or set the `readonly` initialisation parameter of the Default servlet to `true`. For Apache Tomcat versions 8.0.0.RC1 through 8.0.46, update the configuration to restrict HTTP PUT requests or set the `readonly` initialisation parameter of the Default servlet to `true`. For Apache Tomcat versions 8.5.0 through 8.5.22, update the configuration to restrict HTTP PUT requests or set the `readonly` initialisation parameter of the Default servlet to `true`. For Apache Tomcat versions 9.0.0.M1 through 9.0.0, update the configuration to restrict HTTP PUT requests or set the `readonly` initialisation parameter of the Default servlet to `true`. As a temporary workaround, consider disabling the `Default servlet` until a patch is available. Restrict access to the `HTTP PUT` requests to minimize the risk of exploitation.