CVE-2020-14329

Name of the Vulnerable Software and Affected Versions Ansible Tower versions prior to 3.7.2

Description A data exposure flaw was found in Ansible Tower, where sensitive data can be exposed from the "/api/v2/labels/" endpoint. This flaw allows users from other organizations in the system to retrieve any label from the organization and also disclose organization names. The highest threat from this flaw is to confidentiality.

Recommendations For versions prior to 3.7.2, update to version 3.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/v2/labels/" endpoint until a patch is available.