What do you know—I encountered a Jetty vulnerability while trying to prepare a new 3.7.0 RC:
CVE-2020-27223 describes it as:
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
This may not be the end of the world wrt. ZooKeeper, but it doesn't look good in a fresh release.