The remote web server is missing an Apache Tomcat patch update.
Apache Tomcat 6.0.x before 6.0.45, 7.0.x before 7.0.65 or 8.0.x before 8.0.27 is affected by a flaw that allows traversing outside of a restricted path. The issue is due to the 'getResource()', 'getResourceAsStream()', and 'getResourcePaths()' ServletContext methods not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can gain access to a directory listing.
Update to Apache Tomcat version 8.0.27 or later. If version 8.0.x cannot be obtained, versions 7.0.65 and 6.0.45 are also patched for these vulnerabilities.