The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
packetstormsecurity.com/files/135882/Apache-Tomcat-CSRF-Token-Leak.html
rhn.redhat.com/errata/RHSA-2016-1089.html
rhn.redhat.com/errata/RHSA-2016-2599.html
rhn.redhat.com/errata/RHSA-2016-2807.html
rhn.redhat.com/errata/RHSA-2016-2808.html
seclists.org/bugtraq/2016/Feb/148
svn.apache.org/viewvc?view=revision&revision=1720652
svn.apache.org/viewvc?view=revision&revision=1720655
svn.apache.org/viewvc?view=revision&revision=1720658
svn.apache.org/viewvc?view=revision&revision=1720660
svn.apache.org/viewvc?view=revision&revision=1720661
svn.apache.org/viewvc?view=revision&revision=1720663
tomcat.apache.org/security-7.html
tomcat.apache.org/security-8.html
tomcat.apache.org/security-9.html
www.debian.org/security/2016/dsa-3530
www.debian.org/security/2016/dsa-3552
www.debian.org/security/2016/dsa-3609
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.ubuntu.com/usn/USN-3024-1
access.redhat.com/errata/RHSA-2016:1087
access.redhat.com/errata/RHSA-2016:1088
bto.bluecoat.com/security-advisory/sa118
github.com/apache/tomcat
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2015-5351
security.gentoo.org/glsa/201705-09
security.netapp.com/advisory/ntap-20180531-0001
softwaresupport.hpe.com/document/-/facetsearch/document/KM02978021
web.archive.org/web/20160321234551/www.securitytracker.com/id/1035069
web.archive.org/web/20161020161943/www.securityfocus.com/bid/83330