myfaces-impl uses an insecure cryptographic random for anti-CSRF tokens. The usage of the insecure tokens would allow an attacker to predict subsequent anti-CSRF token values and successfully perform requests on behalf of the users.
packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html
seclists.org/fulldisclosure/2021/Feb/66
github.com/apache/myfaces/pull/149
lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E
security.netapp.com/advisory/ntap-20210528-0007/