There is a vulnerability allows remote code execution in Apache Tomcat APJ CNVD-2020-10487/CVE-2020-1938 (File read/inclusion vulnerability in the Apache Tomcat AJP connector )
Apache has released patches for all versions of Tomcat.
Apache Version Affected Release Versions Fixed Version
Apache Tomcat 9 9.0.30 and below 9.0.31
Apache Tomcat 8 8.5.50 and below 8.5.51
Apache Tomcat 7 7.0.99 and below 7.0.100
Initially This vulnerability called Ghostcat was discovered by researchers at Chaitin Tech and reported to the Apache Software Foundation on January 3, 2020.