According to the Apache Tomcat documentation (https://tomcat.apache.org/security-9.html),

This vulnerability would only be exploitable "If the default servlet is write-enabled (i.e., the readonly initialization parameter is set to the non-default value of false) on a case-insensitive file system."

But, by default, the readonly parameter is true for the DefaultServlet (Reference: https://tomcat.apache.org/tomcat-9.0-doc/default-servlet.html).

Therefore, this vulnerability should not impact default Tomcat installations.

Reference: https://lists.apache.org/thread/vzhfof75z4oyymls5wooz54h2ddvzyrn

Additionally, the example provided in the above article does not demonstrate exploitation of the actual vulnerability. The issue (CVE-2024-50379) arises due to a Time-of-Check Time-of-Use (TOCTOU) race condition in the Tomcat code, specifically in WebResourceLockSet.java.