By default, Tomcat's 404 error page discloses the version number that it is running, so all we need to do is to visit a URL that does not exist on the server and the server should throw back an error page, asĀ in the following screenshot:
Many administrators don't really hide the web server banner that discloses the version number. A threat actor can use this information to find a public or zero-day exploit from their arsenal to get access to the server.