Jasperreports still depends on com.lowagie.itext 2.1.7. As reported at https://nvd.nist.gov/vuln/detail/CVE-2021-43113:
Base Score: 9.8 CRITICAL
iTextPDF in iText before 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
Can you give further details on whether Jasperreports is affected or not?
If it is:
* are there any mitigations?
* is a patch scheduled?