Jakarta Tomcat prior to 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
The developers of tomcat discovered several problems in tomcat version
3x The Common Vulnerabilities and Exposures project identifies the
CAN-2003-0042: A maliciously crafted request could return a
directory listing even when an indexhtml, indexjsp, or other
welcome file is present File contents can be returned as we ...
Apache Tomcat is prone to a directory/file disclosure vulnerability when used with JDK 131 or earlier
It has been reported that remote attackers may view directory contents (even when an 'indexhtml' or other welcome file) It is also possible for remote attackers to disclose the contents of f ...