||When an user changes the jobdir of async_files to a world readable directory, ansible writes the async status files directly into the world readable directory using umask to determine the file's permissions. The umask on most systems allow world readable files. This means that any secret information in an "async_status" file will be readable by a malicious user on that system.
||A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.