Description
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
Remediation
References
Related Vulnerabilities
Apache 2.x version older than 2.0.49
WordPress Plugin Corner Ad Cross-Site Scripting (1.0.7)
WordPress Plugin All-In-One Security (AIOS)-Security and Firewall Cross-Site Scripting (3.9.4)
Atlassian Jira Incorrect Authorization Vulnerability (CVE-2019-3403)
WordPress Plugin Spectra-WordPress Gutenberg Blocks Security Bypass (1.14.7)