WEB-INF
is not directly accessible from a browser, so most normal browser activity should not find it.
However, if the server does not restrict navigation by .. (parent of), many things on the server may become visible that were never meant to be. (Yes, that is improper implementation, but humans are involved.)