jruby-complete 9.3.8.0 embeds a version of bundler at ./META-INF/jruby.home/lib/ruby/gems/shared/gems/bundler-2.2.29/ that is subject to CVE-2021-43809.

In bundler versions before 2.2.33, when working with untrusted and apparently harmless Gemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the Gemfile itself. ...