Tomcat 3.2 final has the following security vulnerabilities that have
subsequently been fixed in the CVS repository:
* A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
expose sensitive information (note the double slash after "examples").
* The "Show Source" custom tag used to display JSP source code can
be used to expose sensitive information in WEB-INF.
BTW: I think it should be made clear this is only an issue if you are not
using a webserver, like apache, in front of the Container. A properly
configured apache renders these vulnerabilites moot.
I suppose that depends on the definition of "properly configured". The standard
config files we generate for Apache would not protect all of the cases, although
it would catch some of them.