Thanks for taking the time to report this. In fact, it was identified previously through our own testing procedures, but since only SonarQube administrators can set this property we’ve determined that as a practical matter it’s not a risk. Does this make sense?
That’s a valid point. We have a responsible disclosure workflow for SonarSource’s customers and we will adapt it to make it available for community users.
I will come back to this thread once it is published.