In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.
Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1781215]
This vulnerability is out of security support scope for the following products:
* Red Hat JBoss Fuse 6
* Red Hat JBoss Fuse Service Works 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
RHSSO don't ship Jetty at all, just adapters that can be deployed on top of Jetty hence marking RHSSO as not affected.