Ansible Tower automatically associates an alias to a user's email in the API. This means that an attacker can query or search for a user based on their email address. Because of this, it is possible to check and see if an arbitrary user exists.
Statement: Ansible Tower 3.7.1 as well as previous versions are affected.
Mitigation: There is no mitigation for this issue.
Acknowledgments: Name: Joshua Niemann (IBM GTS)
This issue has been addressed in the following products: Red Hat Ansible Tower 3.7 for RHEL 7 Via RHSA-2020:3328 https://access.redhat.com/errata/RHSA-2020:3328
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14337