CVE-2024-50379 and CVE-2024-56337 do not affect DocuShare.
In DocuShare, default servlet in Tomcat is read-only (it means disabled for write).
External References
(1)
CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet
https://www.cve.org/CVERecord?id=CVE-2024-50379
Description:
If the default servlet is write-enabled (read-only initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.
(2)
CVE-2024-56337
https://www.cve.org/CVERecord?id=CVE-2024-56337
https://nvd.nist.gov/vuln/detail/CVE-2024-56337
Description:
The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (read-only initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379.
Verifications
The configuration in DocuShare server which disabled write.
From
X:\Xerox\Docushare\tomcat\conf\web.xml
It contains these comments:
<!-- readonly
Is this context "read only", so HTTP
-->
<!--
commands like PUT and DELETE are
-->
<!--
rejected? [true]
-->
The param-name is not specified for the default servlet
<servlet-name>default</servlet-name>
therefore, it is by default [true] which means Read-Only. This translates to Not Vulnerable.
In
$DSHOME\tomcat\webapps\docushare\WEB-INF\web.xml
and
$DSHOME\tomcat\webapps\connectkey\WEB-INF\web.xml
there is no setting that overwrite default servlet’s read-only setting.