After upgrading Confluence, in product notification incorrectly indicates this version vulnerable to CVE

Issue Summary

After upgrade Confluence from 6.15.4 to 7.0.1, some sites are prompted with a CVE warning. Upon review, the CVE details clearly indicate that 7.0.1 and higher are not affected and in turn this notification does not apply.

This causes unwanted review and time spent to review a CVE that is not applicable to our upgraded product. It can also cause panic and frustration to administrators that just upgraded to incorrectly see this message.

Environment

• Confluence server, upgrade from 6.15.4 to 7.0.1
• Have Confluence 6.15.x installed
• Have a valid Commercial license type activated in product

Steps to Reproduce

1. Wait a few days to allow Confluence to check in the SEN with the older, vulnerable version of Confluence.
2. Upgrade to Confluence 7.0.1
3. Upon the first login, after the upgrade you're prompted with:
   

Expected Results

Upon the upgrade of a product to a version outside of a CVE notice we should not be prompted that we're still vulnerable to said CVE.

Actual Results

We're prompted that we're still vulnerable to a CVE that is not relevant to our upgraded version.

Notes

In order for this to happen, it appears the admin would have to upgrade in between the time period that Atlassian has collected the version number associated with that SEN and the time Atlassian has sent this whisper notification to appear in product to that SEN.
 

Workaround

Ignore the CVE notice as it does not pertain to our current version.