When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
https://www.exploit-db.com/exploits/42953/
https://security.netapp.com/advisory/ntap-20171018-0001/
https://github.com/breaktoprotect/CVE-2017-12615
https://access.redhat.com/errata/RHSA-2018:0466
https://access.redhat.com/errata/RHSA-2018:0465
https://access.redhat.com/errata/RHSA-2017:3114
https://access.redhat.com/errata/RHSA-2017:3113
https://access.redhat.com/errata/RHSA-2017:3081
https://access.redhat.com/errata/RHSA-2017:3080
http://www.securitytracker.com/id/1039392
http://www.securityfocus.com/bid/100901
http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html