The uri module is being accessed using python there and python passes Authorization headers. Though ansible has a unredirected_headers, but its not exposed to the uri module. But it would require users to explicitly state headers they don't want to be redirected. The unredirected_headers is actually being used in galaxy requests the way mentioned in the below: https://github.com/ansible/ansible/blob/bf7d4ce260dc4ffc6074b2a392b9ff4d3794308b/lib/ansible/galaxy/collection/concrete_artifact_manager.py#L402-L409 So, in case of Galaxy, its already defined in the code that if its "Authorization" header, it won't be redirected. Unredirected_headers is exposed in the url lookup plugin, but not in either get_url or uri and it will only affect to those users that use force_basic_auth, which inserts the Authorization header purposefully, or users who put Authorization in headers explicitly. Hence, I believe CVE is not required in such scenario, since the user has explicitly told the module to send an Authorization header with the requests. The best way would be submitting a feature PR for 2.12 that exposed unredirected_headers in the uri and get_url module where a new argument can be introduced to the module for the upcoming release(minor release 2.12).
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1984760] Affects: fedora-all [bug 1984759] Affects: openstack-rdo [bug 1984761]