We are currently using Bamboo version 9.1.1 (Build 90101) and need to clarify whether this version is vulnerable to CVE-2024-53677. According to available data, CVE-2024-53677 is a critical vulnerability affecting Apache Struts 2—in particular, versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.22—which places it squarely within the range of concern.

I also observed that our installation contains the following file:

atlassian-bamboo\web-inf\lib\struts2-core-2.5.33-atlassian-1.jar,

and this issue appears to extend the findings mentioned in BAM-26044 ("Is Bamboo vulnerable to CVE-2024-53677") : BAM-26044 Is bamboo vulnerable to CVE-2024-53677 - Create and track feature requests for Atlassian products.

Can you confirm that Bamboo 9.1.1 is not affected by this vulnerability? If there is any risk, what mitigation measures would you recommend?