The maintenance patch was published today before you asked about it, and the release notes cover that this issue was resolved.
We should also note that if you read the CVEs, the exploits are if you use Netty to open a webserver. Netty has a lot of functionality, and this particular functionality is not used in the dependency inside the Couchbase SDK, which is shadowed into a separate namespace. If you’re using this functionality in your own apps, it’d come from a separate netty.io package namespace. So, in many ways, it’s a theoretical exploit that you are in control of-- if you’re using the com.couchbase.client.deps packages directly from your app, please don’t and then you can’t run into the exploits.
All of that said, we know you want security scans to pass clean, which is why we updated it.