A customer has reported that a security scan flagged Apache Tomcat 8.5.23 as being vulnerable to the following CVEs
- Denial Of Service Overflow (CVE-2018-1336 fixed in 8.5.31)
- Default settings for the CORS filter (CVE-2018-8014 fixed in 8.5.32)
Apache Tomcat 8.5.23 is used in both SonarQube 6.7.6 LTS and SonarQube 7.6
The latest version of Apache Tomcat 8.5.x is 8.5.34. Apache does a good job noting vulnerability fixes here, and looks like there are a few other CVEs that have been addressed.