Ansible Tower automatically associates an alias to a user's email in the API. This means that an attacker can query or search for a user based on their email address. Because of this, it is possible to check and see if an arbitrary user exists.
Ansible Tower 3.7.1 as well as previous versions are affected.
There is no mitigation for this issue.
Name: Joshua Niemann (IBM GTS)
This issue has been addressed in the following products:
Red Hat Ansible Tower 3.7 for RHEL 7
Via RHSA-2020:3328 https://access.redhat.com/errata/RHSA-2020:3328
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):