Description:
Product Security received a report that Undertow might incorrectly re-use an HTTP request header value from a previous stream for a request associated with a subsequent stream on the same HTTP/2 connection. The issue is linked to the readHpackString method and its interaction with the stringBuilder field. While such behavior typically results in an error followed by the termination of the HTTP/2 connection, it presents a potential vector for information leakage between requests.

The original reporter referenced a similar issue in Apache Tomcat (CVE-2020-17527). In the patch for that vulnerability (https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb) a StringBuilder field was improperly reused across multiple requests, leading to this issue. In the io.undertow.protocols.http2.HpackDecoder class of Undertow, within the readHpackString method, there is a code pattern identical to the one mentioned:

```
for (int i = 0; i < length; ++i) {
stringBuilder.append((char) buffer.get());
}
String ret = stringBuilder.toString();
stringBuilder.setLength(0);
if (ret.isEmpty()) {
//return the interned empty string, rather than allocating a new one each time
return "";
}
```

Steps to reproduce:
No reproducers or PoC were provided, this issue was identified through static testing. 

Affected versions:  2.2.x, 2.3.x, and 3.x