d31aa12fa4
A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases (including Tomcat 4.0.5), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was disclosed on 09/24/2002.