Description
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
Remediation
References
Related Vulnerabilities
CrushFTP Server URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2018-18288)
WordPress Plugin Listing, Classified Ads & Business Directory-uListing SQL Injection (2.0.3)
WordPress 4.2.x PHP Object Injection (4.2 - 4.2.29)
Plone CMS CVE-2013-4189 Vulnerability (CVE-2013-4189)
Sqlite NULL Pointer Dereference Vulnerability (CVE-2017-15286)