After upgrading to Jenkins 1.651.2 the "Overall/Administer" permission is required to fetch the list of plugins using the REST API. Calling https://jenkinsurl/pluginManager/api/json results in:

Access Denied
username is missing the Overall/Administer permission

This seems to be caused by the fix for SECURITY-250 as I learned here:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

The problem is that we are using a bot account that has to read the plugin list for compatibility checks, but it should not have the "Overall/Administer" permission.

Please add a specific permission to grant a user the right to fetch the list of installed plugins. There already is "Overall/UploadPlugins", so "Overall/ReadPlugins" could be a good name.