ush.it reported multiple flaws affecting jetty 6.x and 7.x: http://www.ush.it/2009/10/25/jetty-6x-and-7x-multiple-vulnerabilities/ Following information leaks problems are reported for demo applications: A) "Dump Servlet" information leak (Affected versions: Any) B) "FORM Authentication demo" information leak (Affected versions: Any) and XSS issues: C) "JSP Dump" reflected XSS (Affected versions: Any) D) "Session Dump Servlet" stored XSS (Affected versions: Any) G) "Cookie Dump Servlet" stored XSS (Affected versions: =<6.1.20) H) WebApp JSP Snoop page XSS (Affected versions: =<6.1.21)
Local copy of the advisory: https://bugzilla.redhat.com/show_bug.cgi?id=532675#c1
As noted in the advisory, 'G) "Cookie Dump Servlet" stored XSS' was previously made public via Core Security advisory - see CVE-2009-3579 / bug #532656.
I'm not sure why A) and B) are considered information leaks. Dump Servlet mostly contains information relevant to the current connection that is already known to the client. For the rest, it's purpose of that demo to dump that info, so it's not really a flaw in jetty, rather in production deployment where that demo is not disabled. For the FORM Authentication demo, the only leak mentioned is an information that jetty is running on the host. Server (including version) identification in HTTP reply header is as good, if not better, source of such info. I'm not sure if upstream is going to do anything about those.
I don't see any fix for the other XSS issues committed in upstream SVN so far, but the fixes should appear in 6.1.22.
Example applications are no longer included in jetty 6.x packages.