Access to files from /bonita webapp container is too liberal. You can get files like web.xml with HTTP request with simple path traversal. Files from WEB-INF and META-INF should not be accessible.
Tomcat and Wildfly bundles
Thank you for the report! Feel free to share any experience you may have to secure this.