undertow is vulnerable to HTTP Smuggling attacks. The library does not verify that messages do not contain invalid headers, allowing a malicious user to conduct http smuggling that can lead to cross-site scripting attacks. This is related to an incomplete fix in CVE-2017-2666.
access.redhat.com/errata/RHSA-2017:3454
access.redhat.com/errata/RHSA-2017:3455
access.redhat.com/errata/RHSA-2017:3456
access.redhat.com/errata/RHSA-2017:3458
access.redhat.com/errata/RHSA-2018:0002
access.redhat.com/errata/RHSA-2018:0003
access.redhat.com/errata/RHSA-2018:0004
access.redhat.com/errata/RHSA-2018:0005
access.redhat.com/errata/RHSA-2018:1322
bugzilla.redhat.com/show_bug.cgi?id=1481665
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7559
github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2
issues.jboss.org/browse/UNDERTOW-1165
issues.jboss.org/browse/UNDERTOW-1251
www.sourceclear.com/vulnerability-database/security/http-smuggling/java/sid-5882