A flaw was found in the synchronize module of Ansible. Improper input check on `rsync_opts` may lead to malformed/unexpected rsync command sequence when passing empty string, leading to information leak.
The empty string tells rsync to transfer files from the current working directory. This could be the intention and part of the purpose of rsync: in fact: rsync of an empty string does use the current working directory. But as this may be unexpected from the end user which uses the Ansible module, it will warn about it. Closing as NOTABUG (not a security vulnerability). See external references.