I ran the scan in September 2023 and the CVE in question did not appear.
Then from May, it continues to show up.
The scanned machine is a windows machine with IIS, there is no Apache/Tomcat. What do you think it could be?
On the same machine, in September vulnerabilities were reported to me on mysql (a very old version is installed and we are waiting for the application to be updated), now the vulnerability is no longer reported… but mysql has not been updated
I don’t know why you are referencing Apache/Tomcat here. The CVE you referenced CVE-2022-22963 has two tests 1. Version check and 2. Active check. Both are VMware Spring Cloud Function vulnerabilities. Neither were modified in May 2024.
Is the machine in question running monitoring software? We had a false positive for the CVE because it was sending out pings to the scanning server. The scanning server interpreted this as the exploit being run successfully.