Time to check and update your bundled Tomcat version
Apache has released patches for several versions of Tomcat.
|Apache Version||Affected Release Versions||Fixed Version|
|Apache Tomcat 9||9.0.30 and below||9.0.31|
|Apache Tomcat 8||8.5.50 and below||8.5.51|
|Apache Tomcat 7||7.0.99 and below||7.0.100|
Commandbox doesn’t use Tomcat, but the standard Lucee distribution does.
You can mitigate this without updating by configuring tomcat to use a secret, as noted in the above links.
Unfortunately, the Apache Httpd connector doesn’t support this yet (bug was filed in 2012 sigh)
and mod_cfml still won’t work with the latest Apache release if it was available