Two CVE's in the current version of Tomcat 9.0.36 - fixed in the latest version 9.0.37
https://github.com/spring-projects/spring-boot/blob/master/spring-boot-project/spring-boot-dependencies/build.gradle#L1704
Comment From: wilkinsona
Thanks, but we're already aware. As noted in the issue template, there's no need to raise an issue for a dependency upgrade as upgrades are applied semi-automatically prior to each release. We'll pick up 9.0.37 as part of that upgrade process for our next maintenance releases. In the meantime, you can use the tomcat.version property to use 9.0.37 in your app.