Based on my research, the affected feature is opt-in and not used in Jenkins/Winstone. I had to change Winstone to even get close to the affected code.
(If you are aware of ways to exploit this issue in Jenkins, please let us know:
https://www.jenkins.io/security/reporting/ )
Given recent repeated trouble with regressions introduced by Jetty upgrades, we decided not to expedite this into LTS as it appears Jenkins is unaffected.
If you value the results of automated dependency scanners over stability, I recommend you use weekly releases of Jenkins, which have included this update for several weeks.