if there are ansible users out there who are trying to put templates in multi-line yaml strings(https://yaml-multiline.info/), and the facts being handled don't routinely include special template characters, then their controller will be vulnerable to a template injection through the facts used in template.
Analysis is complete and its found to be a legitimate issue. The issue has been successfully reproduced. Hence, marking it as "Affected" -> "fix" for AAP 1 and Ansible Tower.
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1976097] Affects: fedora-all [bug 1976096] Affects: openstack-rdo [bug 1976098]
This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 8 Red Hat Ansible Engine 2.9 for RHEL 7 Via RHSA-2021:2663 https://access.redhat.com/errata/RHSA-2021:2663
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 8 Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2021:2664 https://access.redhat.com/errata/RHSA-2021:2664
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3583