Based on the link below, it seem that "Http Response Splitting" is still an exposed vulnerability in Wildfly even with Wildfly version 10.1.

http://www.cvedetails.com/vulnerability-list/vendor_id-25/product_id-27107/year-2016/ophttprs-1/Redhat-Jboss-Wildfly-Application-Server.html

Is this correct? If so when can we expect a fix.