Reactor plugin allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM by defining a Reactor Script that will be run when a Reactor Event triggers, effectively elevating privileges to Overall/Run Scripts. Affects all versions.
External References: https://jenkins.io/security/advisory/2017-04-10/#reactor-plugin
Created jenkins-task-reactor tracking bugs for this issue: Affects: fedora-all [bug 1443535]