CVE-2015-8549: PyAMF vulnerable to XML external entity (XXE)

May 24, 2022 (updated October 21, 2024)

PyAMF provides Action Message Format (AMF) support for Python that is compatible with the Adobe Flash Player. It includes integration with Python web frameworks like Django, Pylons, Twisted, SQLAlchemy, web2py and more. XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.

References

github.com/advisories/GHSA-m7m4-4vm8-55wg
github.com/hydralabs/pyamf
github.com/hydralabs/pyamf/pull/58
github.com/hydralabs/pyamf/releases/tag/v0.8.0
github.com/pypa/advisory-database/tree/main/vulns/pyamf/PYSEC-2020-339.yaml
nvd.nist.gov/vuln/detail/CVE-2015-8549
pypi.org/project/pyamf

Code Behaviors & Features

Detect and mitigate CVE-2015-8549 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →