It looks as though the detection for CVE-2023-50164 isn’t detecting vulnerable versions of apache Struts properly.
E.g
Software - Struts 2.3.15.1-atlassian-5 + cpe:/a:apache:struts:2.3.15.1 - Detects as vulnerable.
Software Struts 2.3.20 cpe:/a:apache:struts:2.3.20 - not detected as vulnerable
As per the advisory https://cwiki.apache.org/confluence/display/WW/S2-066, Struts 2.0.0 - Struts 2.3.37 is (EOL)
While we try to maintain full granularity of vulnerabilities affecting obsolete software, this is not always possible, and there may be gaps. However, we do ensure that this vulnerability, and others will be at least caught by an obsolete check.
The nature of obsolete software is that it will contain many known, and unknown unpatched, and un-patchable vulnerabilities.
In this particular case, we wouldn’t be able to recommend a solution to fix CVE-2023-50164 on Struts 2.3.x, however, we would detect the obsolete version of Struts and recommend upgrading to a supported version.
Looks like the signature was updated on the 13th and now identifies the older EOL versions. Thanks.