Information about Jenkins user accounts is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. External References: https://jenkins.io/security/advisory/2017-10-11/
Created jenkins tracking bugs for this issue: Affects: openshift-1 [bug 1501969]
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1558848]
Openshift is now using Jenkins 2.89.2. Marking Enterprise and Online as not affected.