Hello Marc,

Yes, they are in the ./lib directory of janusgraph-1.0.0-rc1 and they
embed netty-all.4.1.77.Final.jar, whose CVEs can be found in
https://mvnrepository.com/artifact/io.netty/netty-all/4.1.77.Final)
the latest version is 4.1.87. ./lib/ directory also comes with
netty.4.1.58.jar.Final,

Actually the all in one package janusgraph-full-1.0.0-rc1 that comes
with Cassandra 4.0.6, the netty-all version in both Janusgraph lib and
Cassandra lib is 4.1.58.jar , which has higher security risk of
CVSS 8.4 (sonatype-2021-0789). I was able to successfully replace the
one in Janusgraph lib with the latest 4.1.87 version. But replacing
the one in Cassandra lib throwed an exception and failed to start.

I also checked the latest Cassandra (4.1.0) and it still has the old
version jar (4.1.58). Just wondering whether anybody has some
experience in replacing this jar with the higher version in
Cassandra or gremlin console & driver 3.61.

Also any pointers to other user groups that might be able to help is
appreciated.

Thanks,
Yingjie