If the web server is not configured to use at least A-Z, a-z, and 0-9 to generate session identifiers, this is a finding.

Vul ID 41809 The web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.

Dx NetOps Performance Management 21.2.x

Jetty generates the JSESSION IDs.  We don't have any control over the letters/digits that JSESSIONID uses.  Anyone using jetty and session objects has the same issue.