A flaw was found in Jenkins Pipeline: Supporting APIs Plugin. Pipelines are subject to script security: Either the entire Pipeline needs to be approved, or it runs in a sandbox, with only whitelisted methods etc. allowed to be called. Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.


References:
https://jenkins.io/security/advisory/2018-02-05/ [SECURITY-699 / CVE-2018-1000058]