My Nexus IQ Server says:
Apache Tomcat 8.5.40 (Group:org.apache.tomcat.embed Artifact:tomcat-embed-core Version: 8.5.40) has CVE-2019-0232
Apache Tomcat says
Tomcat 8.5.40 Released
The Apache Tomcat Project is proud to announce the release of version 8.5.40 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.39 include:
Fix for CVE-2019-0232, an RCE vulnerability on Windows
Add support for Java 11 to the JSP compiler. Java 12 and 13 are also now supported if used with a ECJ version with support for those Java versions
Various NIO2 stability improvements
Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.
To follow up on this, it looks like our Full Deep Dive research was recently completed on CVE-2019-0232. Unfortunately 8.5.40 was not published by the time we completed our research so the range was left open-ended. Our system was notified of the 8.5.40 release and that data is working its way through the pipeline.
I would expect you will see this updated in IQ server in a few days.