In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output. Reference: https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443
Created jetty tracking bugs for this issue: Affects: fedora-all [bug 1781215]
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
RHSSO don't ship Jetty at all, just adapters that can be deployed on top of Jetty hence marking RHSSO as not affected.
Satellite 5.8 is currently in Maintenance Support 2 phase that means we're addressing only Critical Impact Security Advisories. Reference -- https://access.redhat.com/support/policy/updates/satellite
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17632