Hello!
In the current stable version of the camunda(https://camunda.org/download/), the tomcat 8.0.24 is used.
This version is subject to the vulnerability CVE-2017-12617 which is fixed in the version 8.0.47.
Is it planned to update tomcat in a stable build version?