As checked jasperreports-6.16.0 and jasperreports-6.19.0 have optional dependency on "spring-core-5.3.14" and "spring-beans-5.3.14" that have security vulnerability "CVE-2022-22965" as reported in "https://mvnrepository.com/" . According to "National Vulnerability Database" (NVD), the CVSS score is 9.8 and is rated as CRITICAL.
Please help us to understand whether it is actually 9.8 as per TIBCO's point of view & do you see any security risk is using it.
[Note: Same issue is reported by me on github as well. You can mark duplicate to anyone.]