Rocky is 1:1 with RHEL so it has the same package versions as RHEL. If RHEL release 2.4.38 for EL8, then it will be. If not, then it will not be. Please also remember, RHEL backport fixes, so fixes potentially from 2.4.38 can be backported into 2.4.37.
This is why security scanners that go by version number alone are incorrect if they do not take into account the fact that backporting fixes occur.
Better would be search Red Hat Bugzilla for the CVE’s that your security scan came up with to see if they are being addressed in that future patches are likely. If the commands in the linked post do not show them as already resolved.
Adding on to this, a handy way I like to check my installed packages against particular CVE entries is via RPM changelog. You can view the changelog for httpd (Apache) with the following commands:
# Browse changelog with less:
rpm -q --changelog httpd | less
# You can also grab all "CVE" entries from the changelog, or dig for a particular CVE:
rpm -q --changelog httpd | grep 'CVE'
rpm -q --changelog httpd | grep 'CVE-2023-25690'
This works for every package installed on your system, not just Apache. As @iwalker said, a big part of the RHEL/Rocky/Enterprise Linux world is keeping software on older versions, but with backports of “little fixes” brought in from a newer version. This allows compatibility to be maintained for much longer while still benefiting from security fixes found in newer versions.
Also with issues like the example above where the CVE or weakness is in a module, if you dont need the module, disable it.
I have disabled all the unnecessary modules on my apache installation, it just reduces the attack surface of potential vulnerabilities.
to find what modules are loaded its httpd -M, and not apache{2}ctl -M as so many forum examples suggest Rhel changed this a while back.
regards peter