[ERROR] json-io-4.14.0.jar: CVE-2023-34610(7.5) 

Awaiting analysis

https://nvd.nist.gov/vuln/detail/CVE-2023-34610

Apparently only used by cache browser app in dx-core 6.2.x

[INFO] |  +- info.magnolia.cache:magnolia-cache-browser-app:jar:5.9.6:compile
[INFO] |  |  \- com.cedarsoftware:json-io:jar:4.14.0:compile

Magnolia is already at the latest json-io version at the moment of writing. Perhaps worth moving to gson there which seems to be more actively maintained? https://github.com/jdereg/json-io 

Update

No reaction from vendor after more than one month. According to https://github.com/jdereg/json-io/issues/169 

Using json-io to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Magnolia uses the potentially vulnerable API (JsonReader.jsonToJava) at https://git.magnolia-cms.com/projects/MODULES/repos/cache/browse/magnolia-cache-browser-app/src/main/java/info/magnolia/cache/browser/rest/endpoint/CacheEndpoint.java#219.
However, the input can’t be provided by unlogged users and depends on module configuration which only admins can access. Exploiting this seems very unlikely, therefore I would dismiss the CVE.

Alternatively one could replace json-io with gson.