??Which basically means JNDIConnectionSource is meant to download (and run) DataSource class via JNDI.

Right in this regard, maybe even CVE-2021-44228 should not deserve a CVE, since it's just doing something intended by design. Am I wrong?