Vulnerability issue with 6.2.8 cp images CVE-2014-125087

[cedricAI23]

The following image is vulnerable to CVE-2014-125087. Please provide a resolution and date of quarterly release.

Image: cp-kafka-connect

% trivy image 323640293338.dkr.ecr.us-east-2.amazonaws.com/cp-kafka-connect:6.2.8-arthur-1 |grep CVE-2014-125087 2023-03-09T11:46:40.001-0500 INFO Need to update DB 2023-03-09T11:46:40.002-0500 INFO DB Repository: ghcr.io/aquasecurity/trivy-db 2023-03-09T11:46:40.002-0500 INFO Downloading DB... 35.94 MiB / 35.94 MiB [--------------------------------------------------------------------] 100.00% 18.38 MiB p/s 2.2s 2023-03-09T11:46:42.922-0500 INFO Vulnerability scanning is enabled 2023-03-09T11:46:42.922-0500 INFO Secret scanning is enabled 2023-03-09T11:46:42.922-0500 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning 2023-03-09T11:46:42.922-0500 INFO Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection 2023-03-09T11:46:43.738-0500 INFO Detected OS: redhat 2023-03-09T11:46:43.738-0500 INFO Detecting RHEL/CentOS vulnerabilities... 2023-03-09T11:46:43.763-0500 INFO Number of language-specific files: 2 2023-03-09T11:46:43.763-0500 INFO Detecting python-pkg vulnerabilities... 2023-03-09T11:46:43.764-0500 INFO Detecting jar vulnerabilities... 2023-03-09T11:46:43.811-0500 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file. 2023-03-09T11:46:43.819-0500 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file. │ com.jamesmurty.utils:java-xmlbuilder │ CVE-2014-125087 │ CRITICAL │ 0.4 │ 1.2 │ java-xmlbuilder: XMLBuilder2 is vulnerable to XML External │

[janjwerner-confluent]

@cedricAI23 I have scanned confluentinc/cp-kafka-connect:6.2.8 and I don't see that package included.