module_args is not censored properly when using the check mode. This only happens using -vvv on the CLI, but in AWX/Tower it does not matter what verbosity setting is used, because it is saved in the event data regardless. So sensitive data is exposed allowing unauthorized users accessing to it.
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1857817] Affects: fedora-all [bug 1857818]
Created ansible tracking bugs for this issue: Affects: openstack-rdo [bug 1859535]
Upstream Fix: https://github.com/ansible/ansible/pull/71033
Statement: The version of ansible provided in Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and 3 does not contain the vulnerable functionality and is not affected by this vulnerability. Additionally, these storage products no longer maintains their own version of ansible and fixes are consumed from core Ansible repository.
External References: https://github.com/ansible/ansible/pull/71033