Miggo Logo
Miggo Vulnerability Database
CVE-2015-8549

CVE-2015-8549: PyAMF vulnerable to XML external entity (XXE)

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2015-8549
GHSA ID
GHSA-m7m4-4vm8-55wg
EPSS Score
0.62679%
CWE
CWE-611
Published
5/24/2022
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyamfpip< 0.8.00.8.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing in AMF payload handling. The patch (PR #58) explicitly replaces ElementTree.fromstring with defusedxml equivalents, indicating this was the vulnerable function. PyAMF's XML parsing didn't restrict external entities by default, matching CWE-611. The release notes confirm the switch to defusedxml as security hardening against XXE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Py*M* provi**s **tion M*ss*** *orm*t (*M*) support *or Pyt*on t**t is *omp*ti*l* wit* t** **o** *l*s* Pl*y*r. It in*lu**s int**r*tion wit* Pyt*on w** *r*m*works lik* *j*n*o, Pylons, Twist**, SQL*l***my, w***py *n* mor*. XML *xt*rn*l *ntity (XX*) vuln

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in *M* p*ylo** **n*lin*. T** p*t** (PR #**) *xpli*itly r*pl***s `*l*m*ntTr**.*romstrin*` wit* `***us**xml` *quiv*l*nts, in*i**tin* t*is w*s t** vuln*r**l* *un*tion. `Py*M*`'s XML p*rsin* *i*n't r*stri