Logged into Jenkins with a valid user, no unrestricted credentials assigned/scoped to my user. No permission to view or add credentials assigned to my user. Job import plugin has several users available, appearing in the dropdown as "username/***********". If I enter a query URL for an http server that I control and select one of these credentials, the password is transmitted in base64 encoding in the HTTP get request. This essentially allows me to dump any of these stored credentials despite not being allowed to access them through the credentials page.
It's possible that I misunderstand this functionality or that we have a misconfiguration, but this seems abuseable.