Hi, Referring to the discussion in [MNG-7828] Bump guava from 30.1-jre to 32.0.1-jre by bvolpato * Pull Request #1191 * apache/maven (github.com)<https://github.com/apache/maven/pull/1191> which is a fix for NVD - CVE-2023-2976 (nist.gov)<https://nvd.nist.gov/vuln/detail/CVE-2023-2976>, maven-3.8.x is still maintained. So, Can you confirm if maven-3.8.x is affected by the CVE? Request to provide a patch if applicable.
Background about the CVE: maven-3.8.7 uses guice, which in turn fetches guava-25.1 as a dependency. Guava-25.1 is vulnerable. A safe guava version is 32.0.1. Is there any plan to upgrade the guice version in maven-3.8.x so that the corresponding guava it fetches is safe? Regards, Sindhu
