The ability to run a script prior to sending email was introduced in email-ext, a plugin with 10k+ installations, version 2.22 for
This allows users to exploit their job configure privilege for a single job to gain access to all of Jenkins, circumventing any security measures.
1. In project based matrix security (most severe permissions issue), give "User" overall read permission. Create job "Job" and give read/configure/build permissions to "User"
2. Log out and back in as "User"
3. Configure "Job" to send email-ext (upon success).
4. Set the pre-build script to e.g. "Hudson.instance.doQuietDown()" or "Hudson.instance.projects.each
5. Start a build
Jenkins is quieting down, or all projects have been disabled, depending on the script. Everything else is possible as well.
This feature cannot be deactivated, like Groovy Postbuild's "restrict access to internal objects", or used in a safe way by privileged users only, like Groovy's requiring administration permissions for adding or editing Groovy System build steps.
This issue is identical to SECURITY-35 of June 23rd. Maybe it will get a better response as a public issue.