A missing permission check allowed any user to add or remove favorites for any other user. The API was changed so users cannot change another user’s favorites, only their own. External References: https://jenkins.io/security/advisory/2017-06-06/ Upstream patch: https://github.com/jenkinsci/favorite-plugin/commit/b6359532fe085d9ea6b7894e997e797806480777