/api/v2/labels/ endpoint is accessible for every users logged in the systems. In the response, the users can retrieve all the labels of organization that the user cannot access normally. Organization name is also disclosed in this endpoint.
Statement: Ansible Tower 3.7.1 as well as previous versions are affected.
Acknowledgments: Name: Maxime ESCOURBIAC (Michelin CERT team)
This issue has been addressed in the following products: Red Hat Ansible Tower 3.7 for RHEL 7 Via RHSA-2020:3328 https://access.redhat.com/errata/RHSA-2020:3328
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14329