Our enterprise environment is setup with very high security restrictions...
The main administrator for our CI infrastructure has setup Sonar with some technical user to connect to all the different surrounding systems (e.g. SVN, Jenkins, Oracle) and has defined these connection details and passwords on the global configuration.
This was fine until we upgraded to the latest Sonar version (2.12) - since, every administrator of a single project is able to see the passwords given by the global admin within the settings page (mention as default next to the field).
Since this is a full no go in our company, we have deactivated every single plugin using some additional passwords to connect to any system.
...in fact, because of this I would rate this issue even a full blocker and a high security issues!