An improper class constriction vulnerability was found in Apache Tomcat. By exploiting this vulnerability malicious users can read arbitrary files. This vulnerability can be exploited from the network at a point related to the XML parser via a specially designed web application.

Apache Tomcat versions 6.0.40 and earlier
Apache Tomcat 7 versions 7.0.53 and earlier
Apache Tomcat 8 versions 8.0.5 and earlier  

Update to latest version

Apache changelog