Ansible Tower should prevent ws group subscription if not specified in the valid format. Otherwise this would allow normal users intercept stdout from jobs running in other organizations.
Acknowledgments: Name: Ryan Petrello (Red Hat)
Statement: Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.
Mitigation: This issue is possible to mitigate by disabling the stdout from jobs run through the nginx configuration file. However this may affect the usage of Tower as stdout stream would be hidden. To disable the output of running jobs the entire 'location /websocket' block from the nginx configuration (and restarting nginx service) it would be required. Nginx will stop serving /websocket by 404 HTTP code return.
awx link: https://github.com/ansible/awx/pull/6465