The version of Apache Tomcat installed on the remote host is version 9.0.x prior to 9.0.5. It is, therefore, affected by a security constraints flaw which could expose resources to unauthorized users.
Binary data 700705.pasl
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304
tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.5