@h0ng10@micahflee This is a fairly common mistake too and causes a lot of bullshit work for security teams. A banner string (*especially* in case of Apache HTTPd) doesn't mean anything, so unless you can demonstrate the presence of a vulnerability this is nothing (aka PoC||GTFO).
In addition the cited CVE-2024-38476 likely requires a specific config to be exploitable (although no details are published yet, I base this assessment on the other vulns explained):