As of https://github.com/advisories/GHSA-j288-q9x7-2f5v core is shipping an old library with an unresolved security vulnerability. It would be ideal if this could be removed from Jenkins core, but before that can happen:

• Jenkins core itself needs to stop consuming it, including our fork of Json-Lib
• Jenkins plugins need to stop consuming it, by migrating either to plain Java Platform functionality or to the Commons Lang 3 Jenkins library plugin

See https://github.com/jenkinsci/jenkins/pull/8996#issuecomment-2033276342 for further discussion.