PyAMF provides Action Message Format (AMF) support for Python that is compatible with the Adobe Flash Player. It includes integration with Python web frameworks like Django, Pylons, Twisted, SQLAlchemy, web2py and more. XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.
References
- https://nvd.nist.gov/vuln/detail/CVE-2015-8549
- https://github.com/hydralabs/pyamf/pull/58
- https://github.com/hydralabs/pyamf/releases/tag/v0.8.0
- http://www.ocert.org/advisories/ocert-2015-011.html
- http://www.securityfocus.com/archive/1/archive/1/537151/100/0/threaded
- https://github.com/advisories/GHSA-m7m4-4vm8-55wg