Hello,
I noticed CVE-2024-34750 is correctly reported on org.apache.tomcat:tomcat (https://ossindex.sonatype.org/component/pkg:maven/org.apache.tomcat/tomcat@9.0.86), but it is not reported on tomcat-embed-core Maven - org.apache.tomcat.embed/tomcat-embed-core - Sonatype OSS Index, while a significant number of tools are reporting it on this package.
I am wondering if CVE is not impacting tomcat embed and other tools are wrong or the oppposite, there is an issue on OSSIndex and this package should be flag as vulnerable ?