A flaw was identified in the SonarQube Plugin for Jenkins that disclosed the SonarQube server secret key as used by the plugin. An authenticated remote user with 'Manage Jenkins' privilege could read the secret key as configured via the 'sonar.sonarPassword' parameter.
For users of SonarQube v3.7 or later, a mitigation is to use encrypted settings values as described in .
Not Vulnerable. The SonarQube plug-in for Jenkins is not shipped by Red Hat.