From the upstream advisory:
Low: Information disclosure CVE-2011-2481
The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
vulnerability previously reported as CVE-2009-0783. This was initially
reported as a memory leak. If a web application is the first web
application loaded, this bugs allows that web application to potentially
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.
This was fixed in revision 1137753 and revision 1138788 and .
This was identified by the Tomcat security team on 20 June 2011 and made
public on 12 August 2011.
This issue did not affect any version of Tomcat shipped in Red Hat products. This flaw only affected Tomcat versions 7.0.0 - 7.0.16.