Not an actual security issue as far as Magnolia is concerned, since the components involved aren't used (see also https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw).
We're going to update anyway to the latest version where possible (Magnolia 6.2.x) and suppress the CVE for Magnolia 5.7.x as the latter uses a EOL version of JackRabbit (2.18.x) which no longer receives updates.
Some CVE scan tools list as vulnerable also
Those look like false positives owing to the fact that the CPE for CVE-2023-37895 matches any Jackrabbit artifact cpe:2.3:a:apache:jackrabbit::::::::**
Finally, JR stated that Apache Jackrabbit Webapp and Apache Jackrabbit Standalone only are affected and those are components of the Jackrabbit project proper