https://nvd.nist.gov/vuln/detail/CVE-2023-37895

Not an actual security issue as far as Magnolia is concerned, since the components involved aren't used (see also https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw).

We're going to update anyway to the latest version where possible (Magnolia 6.2.x) and suppress the CVE for Magnolia 5.7.x as the latter uses a EOL version of JackRabbit (2.18.x) which no longer receives updates. 

—
Some CVE scan tools list as vulnerable also 

• info.magnolia.ocm:jackrabbit-ocm:jar:2.0.1
• org.apache.jackrabbit:oak-jackrabbit-api:jar:1.48.0

Those look like false positives owing to the fact that the CPE for CVE-2023-37895 matches any Jackrabbit artifact cpe:2.3:a:apache:jackrabbit::::::::**
Finally, JR stated that Apache Jackrabbit Webapp and Apache Jackrabbit Standalone only are affected and those are components of the Jackrabbit project proper