AgentReadyHomeAgent Listing

← jira-mcp-server

jira-mcp-server — agentic threat model

7.3AIVSS 7.3 · High

The jira-mcp-server poses moderate risk as a stateless tool provider that grants LLMs direct read/write access to Jira. Its primary vulnerabilities stem from credential exposure (API token) and the potential for indirect prompt injection or spamming via the issue creation tool.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.77Factor sum 2.2/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.40
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.50
Persistent Memory
0.00
Contextual Awareness
0.20
Dynamic Identity
0.30
Multi-Agent Interactions
0.40
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The server itself does not bundle a foundation model, but exposes tools to external LLMs (like Claude), making it susceptible to prompt injection via retrieved Jira issue content.

L2 · Data Operations✓ mapped

Exposes Jira search and retrieval. Risks include data exfiltration of sensitive issue descriptions or comments, and indirect prompt injection if the agent processes untrusted issue data.

L3 · Agent Frameworks✓ mapped

Integrates via the Model Context Protocol (MCP). Vulnerable to tool misuse (e.g., unauthorized issue creation or spamming) if the orchestrating agent is compromised or tricked.

L4 · Deployment & Infrastructure✓ mapped

Requires hosting the MCP server and storing a Jira email and API token. Compromise of the hosting environment or configuration files exposes these credentials, leading to direct Jira API abuse.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in logging, auditing, or guardrails are mentioned. Without external observability, malicious tool invocations or data exfiltration may go undetected.

L6 · Security & Compliance (cross-cutting)✓ mapped

Uses simple token authentication (Jira email + API token). Lacks fine-grained authorization (authZ) or user-impersonation controls, meaning any client with access to the MCP server inherits full token permissions.

L7 · Agent Ecosystem✓ mapped

Designed for multi-agent or agent-to-application ecosystems via MCP. A compromised upstream agent could abuse this server to manipulate Jira projects or exfiltrate tracker data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).