Description
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1067
https://access.redhat.com/errata/RHSA-2018:1251
https://access.redhat.com/errata/RHSA-2018:1249
https://access.redhat.com/errata/RHSA-2018:1248
https://access.redhat.com/errata/RHSA-2018:1247
https://access.redhat.com/errata/RHSA-2018:2643
https://access.redhat.com/errata/RHSA-2019:0877
Related Vulnerabilities
CVE-2020-13954 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http
CVE-2022-45690 Vulnerability in maven package cn.hutool:hutool-json
CVE-2022-3783 Vulnerability in npm package node-red-dashboard
CVE-2022-1415 Vulnerability in maven package org.drools:drools-compiler
CVE-2017-15288 Vulnerability in maven package org.scala-lang:scala-compiler