Servlets, EJBs, and their supporting classes can access anything on the server. Unless you are really into setting security permissions, in which case you can limit what they have access to.
But as far as this being a security bug? No, it isn't. A security bug would be if a user could enter a url such as http://hostname:8080/home/xxx/foo.doc to access a document in user xxx's home directory. In other words, only files within a WAR file (not in meta-inf or web-inf), or in a directory set up for static content, should be accessible from a URL to have a secure environment.