After submitting a new license using the new RHSM on Ansible Tower 3.6.0, licensed data such as username and password are exposed at '/api/v2/config/'. These credentials are saved into the database as plaintext.
Name: Victor da Costa (Red Hat)
There is no mitigation for this issue since this issue happens when Red Hat license is applied.
This issue has been addressed in the following products:
Red Hat Ansible Tower 3.6 for RHEL 7
Via RHSA-2019:3958 https://access.redhat.com/errata/RHSA-2019:3958
Ansible Tower 3.6.0 is affected, but Ansible Tower 3.5, 3.4, and 3.3 are not vulnerable as they do not include the new RHSM.
CloudForms 5.9 and 5.10 are not vulnerable as they do not use Ansible Tower 3.6.0.