Rocky is 1:1 with RHEL so it has the same package versions as RHEL. If RHEL release 2.4.38 for EL8, then it will be. If not, then it will not be. Please also remember, RHEL backport fixes, so fixes potentially from 2.4.38 can be backported into 2.4.37.
This is why security scanners that go by version number alone are incorrect if they do not take into account the fact that backporting fixes occur.
This post gives you commands you can use to see if CVE’s were applied to the package or not: Errata missing a specific httpd security advisory - #2 by iwalker
Better would be search Red Hat Bugzilla for the CVE’s that your security scan came up with to see if they are being addressed in that future patches are likely. If the commands in the linked post do not show them as already resolved.
For example: https://bugzilla.redhat.com/buglist.cgi?quicksearch=cve%20httpd this does show a mod_rewrite regression for EL8 doing a search for “cve httpd”.