The credentials.xml file holds a plaintext copy of the credentials stored via Jenkins. On a fresh install of Jenkins, this file has world readable permissions by default:
$ ls -l /var/lib/jenkins/credentials.xml
rw-r r- 1 jenkins jenkins 2863 Feb 12 19:00 /var/lib/jenkins/credentials.xml
It should have at least group readable permissions only.