If a Tower project (SCM repo) definition does not have the 'delete before update' flag set, a user who has commit access to the upstream playbook source repo could create a trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. On the next SCM update, these git hooks would then run, therefore running arbitrary code as the 'awx' (Tower service) user.
Acknowledgments: Name: Ryan Petrello (Red Hat)
This issue has been addressed in the following products: CloudForms Management Engine 5.8 Via RHSA-2017:3005 https://access.redhat.com/errata/RHSA-2017:3005