A vulnerability found in default Apache Tomcat 4.x installation can be used to remotely disclose the source of served JSP files. The Tomcat developers fixed this issue in the Tomcat versions 4.0.5 and 4.1.12, which are available here.
2fef92ed7d59d75004c3b7399e643001f93de8ce9846efd4fb65db9ad40f1db1