← aashari/mcp-server-atlassian-jira
aashari/mcp-server-atlassian-jira — agentic threat model
This agent acts as a direct bridge to Atlassian Jira Cloud, presenting significant risk due to write-access capabilities on issues and comments which can be abused for prompt injection or unauthorized project modifications if the underlying LLM is compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not specify a foundation model, but the host LLM is highly vulnerable to indirect prompt injection via malicious Jira issue descriptions or comments ingested during real-time queries.
The agent performs real-time queries on Jira projects, issues, and comments. This creates a direct data exfiltration risk if an attacker can inject instructions into a Jira ticket that forces the agent to leak sensitive project data.
The agent exposes tools for reading and writing Jira issues and comments. Framework-level vulnerabilities include tool misuse where a compromised planner could delete, modify, or spam Jira issues using the provided MCP tool definitions.
Not certain from the listing — The hosting environment of the MCP server is unspecified, but it relies on Jira API tokens for authentication. Insecure storage of these tokens on the host infrastructure poses a high risk of credential theft.
Not certain from the listing — There is no mention of built-in logging, audit trails, or guardrails to monitor and intercept malicious tool calls or anomalous Jira modifications before they execute.
Access control is entirely dependent on the scope of the provided Jira API token. If the token is over-privileged, the agent inherits full write/delete permissions across all accessible Jira projects without secondary authorization.
As an MCP server, this agent is designed to be orchestrated by other host agents. This introduces cascading risks where a compromised upstream orchestrator can abuse this agent to manipulate Jira project states.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).