Vulnerability description:
An input validation error can be exploited to download arbitrary files via directory traversal attacks. 

Successful exploitation requires that a context is configured with allowLinking="true" and that the connector is configured with URIEncoding="UTF-8". 

Affected versions 4.1.0 to 4.1.37, 5.5.0 to 5.5.26.
Affected items
test : http://127.0.0.1:7021/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
The impact of this vulnerability
The remote atacker can download arbitrary files via directory traversal attacks.

How to fix this vulnerability
The problem was fixed in the SVN.

Web references
Apache Tomcat 5.x vulnerabilities :=> http://tomcat.apache.org/security-5.html