All advisories

Docker Hub access credential exposure in Replicated-based installation support bundles

Affected product(s)

  • Replicated-based Gradle Enterprise installations - all versions



Published at



Support bundles are a mechanism used by Gradle Enterprise support to obtain log files and other operational telemetry from a Gradle Enterprise installation. They must be generated by an installation administrator with access to the installation host environment, or via the application administration user interface. The bundle files are typically then shared with Gradle Enterprise support and discarded.

Gradle's documentation previously recommended configuring Replicated with Docker Hub Credentials written in plaintext in the file /etc/replicated.conf on the host of the Gradle Enterprise installation. The contents of this file are included in support bundles, causing the credentials to be exposed when configured this way.

Gradle Enterprise installations not using Replicated are unaffected.


  1. Remove the DockerHubUsername and DockerHubPassword entries from /etc/replicated.conf.
  2. Reconfigure the credentials using the Replicated CLI:
$ replicatedctl params set DockerHubUsername --value your-username
$ replicatedctl params set DockerHubPassword --value your-password
  1. Restart the Replicated admin console, following the instructions for your operating system specified here.

Consider revoking the previous, potentially exposed, credentials and generating and configuring new credentials.