I previously posed the question to support and the response I received:
"As described in this old Jira bug JRASERVER-66491 (not directly related to CVE-2020-17530, but it contains the information about Struts.), Atlassian Jira does not use Apache Struts 2.
Therefore, we can confirm that vulnerability CVE-2020-17530 does not affect Jira 8.5.5."
All I can tell you is that
doesn't include that vulnerability at all in the list. There's nothing there from 2020 though.
Maybe someone more security-savy can tell you more but regardless this seems a great question to ask directly to Atlassian rather than to the community. Who better than them to give you a official answer as oposed to an opinion? https://support.atlassian.com/contact/#/
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event