Tomcat before 5.0.27-r3 in Gentoo Linux sets the default permissions on the init scripts as tomcat:tomcat, but executes the scripts with root privileges, which could allow local users in the tomcat group to execute arbitrary commands as root by modifying the scripts.
https://exchange.xforce.ibmcloud.com/vulnerabilities/16993
http://www.securityfocus.com/bid/10951