Remote code execution vulnerability resides in Common Gateway Interface (CGI) Servlet when running on Windows withenabled and occurs due to a bug in the way the Java Runtime Environment (JRE) passes command line arguments to Windows. The vulnerability was reported to the Apache Tomcat security team by researchers from Nightwatch Cybersecurity on 3rd March 2019 and was made public on 10 April 2019 after the ASF released the updated versions. In response to this vulnerability, the CGI Servlet enableCmdLineArguments option will now be disabled by default in all versions of Tomcat.
Source: https://thehackernews.com/2019/04/apache-tomcat-security-flaw.html