Hello,

Are the Patch files contained within the ADManagerPlus directory required to be kept for future use or can they be removed after upgrading? 

For example, our Wiz security platform is counting these as vulnerabilities even though we are running 8.0.0 Build 8024. 

C:\ManageEngine\ADManager Plus\Patch\ManageEngine_ADManager_Plus-7.2.0-SP-2.2\SERVER\ES\plugins\search-guard-6\jackson-databind-2.8.11.1.jar

Because 2.8.11.1 is vulnerable to CVE-2020-11620, which exists in versions >=2.7.0-rc1, < 2.9.10.4.

We have similar vulnerabilities reported for other previous patch folders for ADManagerPlus, ADSelfService Plus, and Endpoint Central.

If these files are no longer required, I'd like to request that the upgrader prompts the administrator to remove them or that they are removed automatically.