Jenkins CVE info

Hi Team,
We are currently running Jenkins LTS version 2.387.3 on azure windows vm.
The security team in our organization has raised below CVE to be addressed Jenkins Security Advisory 2023-10-18

We are not using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files.

Do we still need to plan upgrade to address these CVEs ?

Please confirm


Not this specific CVE as you don’t use http2 but there are other more severe issues in the Jenkins version that you’re using (which is about 20 month old), e.g. the one described in Jenkins Security Advisory 2024-01-24