Authenticated Path Traversal in AIL framework /objects/item/diff Allows Reading Gzip-Compressed Files
Description
AIL framework contains a path traversal vulnerability in the /objects/item/diff endpoint. The endpoint accepts item identifiers through the s1 and s2 query parameters and, prior to the fix, attempted to retrieve and compare item contents without first verifying that both referenced items existed as valid AIL objects.
An authenticated AIL user could craft malicious item identifiers containing path traversal sequences to cause the application to read gzip-compressed files accessible to the AIL process. This could result in unauthorized disclosure of local file contents, limited to files readable by the application and compatible with the expected gzip-compressed item format.
The issue was fixed by validating that both requested items exist before their contents are accessed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
Vulnerability mechanics
Root cause
"Missing validation that referenced items exist before accessing their contents allows path traversal to read arbitrary gzip-compressed files."
Attack vector
An authenticated AIL user sends a crafted request to `/objects/item/diff` with path traversal sequences (e.g., `../`) in the `s1` or `s2` query parameters. The application constructs `Item` objects from these identifiers and, prior to the fix, called `get_content()` without checking whether the items actually exist. This allows the attacker to read gzip-compressed files accessible to the AIL process, limited to files the process can read and that match the expected compressed format. [patch_id=6590897]
Affected code
The vulnerability resides in `/var/www/blueprints/objects_item.py` in the `object_item_diff()` function. The endpoint accepts `s1` and `s2` query parameters and constructs `Item` objects without verifying they exist before calling `get_content()`, allowing path traversal sequences in the identifiers to reach arbitrary gzip-compressed files.
What the fix does
The patch adds two existence checks — `if not item1.exists()` and `if not item2.exists()` — before calling `get_content()` on either item. If either item does not exist, the function returns a 404 error immediately. This prevents the path traversal from reaching arbitrary files because the `exists()` check validates that the identifier corresponds to a legitimate AIL object before any file read operation occurs. [patch_id=6590897]
Preconditions
- authAttacker must be an authenticated AIL user
- networkAttacker must be able to reach the /objects/item/diff endpoint over the network
- inputAttacker supplies path traversal sequences in the s1 or s2 query parameters
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.