Jakarta Tomcat prior to 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
The developers of tomcat discovered several problems in tomcat version
3x The Common Vulnerabilities and Exposures project identifies the
CAN-2003-0042: A maliciously crafted request could return a
directory listing even when an indexhtml, indexjsp, or other
welcome file is present File contents can be returned as we ...