I don't think Profile Version 2.3.0 is the LittleCMS version. At time of writing this, OpenJDK@11.0.21 corretto is at LCMS 2.15 per https://github.com/corretto/corretto-11/tree/11.0.21.9.1/src/java.desktop/share/native/liblcms/ .
You may also be able to obtain the LCMS version by parsing the "legal" files distributed with OpenJDK: cat <path-to-java-home>/legal/java.desktop/lcms.md |grep "(LCMS) v" ... or on Windows: type "<path-to-java-home>\legal\java.desktop\lcms.md" | find "(LCMS) v" Updating this dependency is done by the OpenJDK team. Contacting them is difficult, so most organizations requiring this low-level of control purchase a support plan https://medium.com/@javachampions/java-is-still-free-3-0-0-ocrt-2021-bca75c88d23b#8400 . In regards to the severity of each CVE, those questions are probably best asked to C developers, PDFBOX is predominantly written in Java. -Tres
