It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
Created python-celery tracking bugs for this issue:
Affects: epel-all [bug 2037533]
Affects: fedora-all [bug 2037532]
to upgrade celery to version 5.2.2 or higher.
The analysis is complete for Ansible Tower 3.8 and Controller as part of AAP 2.0. None of them are using the affected component i.e. celery(python-celery). Hence, marking it as "Not Affected".
 Please refer : https://github.com/ansible/tower/blob/release_3.8.6/requirements/requirements.txt