From the upstream advisory: https://tomcat.apache.org/security-7.html Low: Information disclosure CVE-2011-2481 The re-factoring of XML validation for Tomcat 7.0.x re-introduced the vulnerability previously reported as CVE-2009-0783. This was initially reported as a memory leak. If a web application is the first web application loaded, this bugs allows that web application to potentially view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance. This was fixed in revision 1137753 and revision 1138788 and . This was identified by the Tomcat security team on 20 June 2011 and made public on 12 August 2011. Affects: 7.0.0-7.0.16
Statement: This issue did not affect any version of Tomcat shipped in Red Hat products. This flaw only affected Tomcat versions 7.0.0 - 7.0.16.