Apache Tomcat is affected by a Java deserialization vulnerability if the PersistentManager is configured as session manager. Successful exploitation requires the attacker to be able to upload an arbitrary file to the server. This archive includes a write up and proof of concept code from multiple researchers.
a4290abd849a9bb4c118b840fc087ac9