A CVE (CVE-2020-28052) has been reported for BouncyCastle, the cryptography library used by EJBCA.
This does not present a vulnerability in EJBCA, as it affects versions 1.65 and 1.66 of the library, while EJBCA runs version 1.67. In addition to that, the affected code is not referenced by EJBCA.