Homepage

mcp-atlassian@0.16.0 vulnerabilities

The Model Context Protocol (MCP) Atlassian integration is an open-source implementation that bridges Atlassian products (Jira and Confluence) with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with Atlassian tools while maintaining data privacy and security. Key features include:

  • latest version

    0.21.0

  • latest non vulnerable version

    0.21.0

  • first published

    1 years ago

  • latest version published

    14 days ago

  • licenses detected

  • View mcp-atlassian package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the mcp-atlassian package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Server-side Request Forgery (SSRF)

    mcp-atlassian is a The Model Context Protocol (MCP) Atlassian integration is an open-source implementation that bridges Atlassian products (Jira and Confluence) with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with Atlassian tools while maintaining data privacy and security. Key features include:

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the HTTP endpoint. An attacker can cause the server to make arbitrary outbound HTTP requests to attacker-controlled URLs, potentially exposing sensitive internal resources or credentials, by sending specially crafted requests containing X-Atlassian-Jira-Url or X-Atlassian-Confluence-Url headers without an Authorization header.

    Note:

    This is only exploitable if the server is running with --transport streamable-http or --transport sse, the request contains both the relevant URL and personal token headers, and no Authorization header is present.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade mcp-atlassian to version 0.17.0 or higher.

    [,0.17.0)
    • M
    External Control of File Name or Path

    mcp-atlassian is a The Model Context Protocol (MCP) Atlassian integration is an open-source implementation that bridges Atlassian products (Jira and Confluence) with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with Atlassian tools while maintaining data privacy and security. Key features include:

    Affected versions of this package are vulnerable to External Control of File Name or Path via the confluence_download_attachment MCP tool. An attacker can write arbitrary files to any location accessible by the server process and potentially achieve code execution by supplying a crafted download_path parameter and uploading a malicious attachment.

    How to fix External Control of File Name or Path?

    Upgrade mcp-atlassian to version 0.17.0 or higher.

    [,0.17.0)
    Go back to all versions of this package