Information
Being able to specify custom status messages opens up the possibility for additional headers to be injected. If custom header status messages are required make sure it is only in US-ASCII and does not include any user-supplied data.
Allowing user-supplied data into a header allows the possibility of XSS.
Solution
Start Jetty with USE_CUSTOM_STATUS_MSG_IN_HEADER set to false. Add the following to the startup script.
Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false.
By default allowing custom header status messages is set to false.