Security Tracking Issue
Do not make this issue public.
NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE.
EMBARGOED CVE-2017-7559 undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
It was found that original patch for CVE-2017-2666 issue in undertow was incomplete and invalid characters are still allowed in the query string and path parameters.