The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection.
Created jenkins-script-security-plugin tracking bugs for this issue:
Affects: fedora-all [bug 1647060]
Do not run untrusted jenkins pipeline scripts.
This got split into two CVE's CVE-2018-1000865 and CVE-2018-1000866.