{"schema_version": "1.6.1", "id": "CVE-2021-26296", "summary": "Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces", "details": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache MyFaces Core 2.2"}, {"fixed": "2.2.14"}]}, {"type": "SEMVER", "events": [{"introduced": "Apache MyFaces Core 2.3"}, {"fixed": "2.3.8"}]}, {"type": "SEMVER", "events": [{"introduced": "Apache MyFaces Core 2.3-next"}, {"fixed": "2.3-next-M5"}]}, {"type": "SEMVER", "events": [{"introduced": "Apache MyFaces Core 3.0"}, {"fixed": "3.0.0"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"}]}