There are a few vulnerabilities reported in Apache Tomcat 9.0.102 and below versions.

CVE-2025-31651(Critical): Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. 

CVE-2025-46701 (High): Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. 

CVE-2025-31650 (High): Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. 

CA Service Desk Manager 17.4

These issues will be addressed in the upcoming 17.4 RU5 version (tentatively scheduled for late October 2025 - early November 2025) with an upgrade to Apache Tomcat 9.0.106.

In the meantime, upgrade to Apache Tomcat Version 9.0.106 (or above) via the below documentation to remediate the above vulnerabilities.

Install and Configure Apache Tomcat