The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. References: https://jenkins.io/security/advisory/2018-10-29/ Upstream patches: https://github.com/jenkinsci/script-security-plugin/commit/16c862ae9d4038a3edbd8bdfb0fd1401a509d56b https://github.com/jenkinsci/workflow-cps-plugin/commit/e1c56eb6d85d513cb24dfe188e6f592d0ff84b38 https://github.com/jenkinsci/groovy-sandbox/commit/0cd7ec12b7c56cfa3167d99c5f43147ce05449d3
Created jenkins-script-security-plugin tracking bugs for this issue: Affects: fedora-all [bug 1647060]
Mitigation: Do not run untrusted jenkins pipeline scripts.
This got split into two CVE's CVE-2018-1000865 and CVE-2018-1000866.