https://bugzilla.redhat.com/show_bug.cgi?id=1471060
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- The jenkins-plugin-script-security improperly whitelisted "DefaultGroovyMethods.putAt(Object, String, Object)" and "DefaultGroovyMethods.getAt(Object, String)" which allows attackers to bypass many restrictions and potentially trigger builds or access data they should not have access to. Exploitation of this requires the attacker to have access to the Jenkins instance, and for that Jenkins instance to be hosting other projects as well that the attacker should not have access to.