Jakarta Tomcat 4.0.1 allows remote malicious users to reveal physical path information by requesting a long URL with a .JSP extension.
apache tomcat 4.0.1