JRuby currently bundles jruby-openssl v0.15.4, which includes BouncyCastle 1.79 that has a known security vulnerability.
An updated version of jruby-openssl (v0.15.5) with BouncyCastle 1.81 is available but has not been incorporated into any JRuby release yet.
Please update JRuby to use jruby-openssl v0.15.5 or later in the next release to resolve this security vulnerability.

Bouncy Castle is vulnerable due to the Use of Weak Hash. The createClone() method in the DigestFactory$2.class class does not properly clone SHA-1 hashes. An unsuspected developer can use the vulnerable method to perform cryptographic operations, exposing the application to collision attacks.

references:-

1. jruby/jruby-openssl@v0.15.4...v0.15.5#diff-182445848759e3e1da029cd16c16c6f7c30b5d81c1efa71ffd11f52d8da2fa65
2. https://cwe.mitre.org/data/definitions/328.html
3. bcgit/bc-java@8ecc0b3