IBM WebSphere Application Server (WAS) 5.1.1.9 and earlier allows remote attackers to obtain JSP source code and other sensitive information via "a specific JSP URL."
http://www.vupen.com/english/advisories/2007/0970
http://www.securityfocus.com/bid/22991
http://www-1.ibm.com/support/docview.wss?uid=swg24011720