When using Jenkins own user database, both in the Web Login and using the API calls, there is no lockout or IP blocking, captcha or similar protection. Therefore, an attacker can launch an unlimited brute force attack against the system to try and find usernames and passwords.
Some protection must be placed to prevent the attacker from trying unlimited guesses against the username/password and the API auth values (project's token and user's token).
Tested on version 1.514.