The vulnerability impacts Spring MVC and Spring WebFlux applications that are packaged as WAR archives, are deployed to Apache Tomcat servers and run on JDK 9 and higher.