AWX awxkit Path Traversal Vulnerability via YAML !include Directive

A path traversal vulnerability exists in awxkit, the command-line interface (CLI) tool for AWX. The issue arises because the YAML !include directive does not properly sanitize file paths. This flaw allows an attacker to create a malicious YAML file that can read arbitrary YAML-formatted files from the local filesystem. The vulnerability is triggered when a user imports the crafted YAML file using the 'awx --conf.format yaml import' command. This is a client-side vulnerability that requires user interaction.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files from the local filesystem, with the potential for the included file contents to be populated into AWX resource fields, making them accessible via the AWX API or user interface.

Reproduction

To reproduce this vulnerability, create a YAML file that includes a path traversal payload in the !include directive. Ensure that the file paths are not sanitized, allowing access to arbitrary YAML-formatted files on the local filesystem. Once the malicious YAML file is prepared, import it using the 'awx --conf.format yaml import' command. After the import, check the AWX resource fields to see if the contents of the traversed files have been populated.

Remediation

Users are advised to import YAML files only from trusted sources and to prioritize the default JSON import format instead of YAML.