The usage of the '#' character in RabbitMQ passwords causes web socket with HTTP 500 error. That response code includes the HTTP status which would disclosure partially the password in plaintext.
Mitigation: This issue could be mitigated by setting or changing the RabbitMQ passwords without using the specials characters. Complex passwords could still remain or even increase by using unpredictable longer strings. This adds much more entropy rather than just using special characters in shorter strings.
This issue has been addressed in the following products: Red Hat Ansible Tower 3.5 for RHEL 7 Via RHSA-2019:4242 https://access.redhat.com/errata/RHSA-2019:4242
This issue has been addressed in the following products: Red Hat Ansible Tower 3.6 for RHEL 7 Via RHSA-2019:4243 https://access.redhat.com/errata/RHSA-2019:4243
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19342