ICUICU
critical

mcp-atlassian

v2.1.0

MCP server for Atlassian (Confluence and Jira) integration

npmvijay_dukeFirst seen Feb 22, 2026

47

Total

20

Critical

17

High

10

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    24:         }
    25:     }
>>> 26:     if (process.env.TIME_DISPLAY_FORMAT) {
    27:         const format = process.env.TIME_DISPLAY_FORMAT.toLowerCase();
    28:         if (['short', 'long', 'mixed'].includes(format)) {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    19:     const config = {};
    20:     if (process.env.WORK_HOURS_PER_DAY) {
>>> 21:         const value = parseInt(process.env.WORK_HOURS_PER_DAY);
    22:         if (!isNaN(value) && value > 0 && value <= 24) {
    23:             config.hoursPerDay = value;
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    18: function loadConfigFromEnv() {
    19:     const config = {};
>>> 20:     if (process.env.WORK_HOURS_PER_DAY) {
    21:         const value = parseInt(process.env.WORK_HOURS_PER_DAY);
    22:         if (!isNaN(value) && value > 0 && value <= 24) {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    3: export function createAtlassianClient() {
    4:     const baseURL = process.env.ATLASSIAN_BASE_URL;
>>> 5:     const email = process.env.ATLASSIAN_EMAIL;
    6:     const apiToken = process.env.ATLASSIAN_API_TOKEN;
    7:     if (!baseURL || !email || !apiToken) {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    2: import { HttpsProxyAgent } from 'https-proxy-agent';
    3: export function createAtlassianClient() {
>>> 4:     const baseURL = process.env.ATLASSIAN_BASE_URL;
    5:     const email = process.env.ATLASSIAN_EMAIL;
    6:     const apiToken = process.env.ATLASSIAN_API_TOKEN;
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    245: const requiredEnvVars = ['ATLASSIAN_BASE_URL', 'ATLASSIAN_EMAIL', 'ATLASSIAN_API_TOKEN'];
    246: for (const envVar of requiredEnvVars) {
>>> 247:     if (!process.env[envVar]) {
    248:         console.error(`Error: Missing required environment variable: ${envVar}`);
    249:         process.exit(1);
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    55:         Logger.info('Initializing Atlassian MCP Server', {
    56:             version,
>>> 57:             environment: process.env.NODE_ENV || 'development',
    58:         });
    59:         this.registerTools();
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    396: │       └── export-converter.ts  # HTML/Markdown export utilities
    397: ├── dist/                        # Compiled JavaScript
>>> 398: ├── .env                         # Environment variables (not in git)
    399: ├── package.json
    400: └── tsconfig.json
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    77: 2. Click "Create API token"
    78: 3. Give it a label and copy the token
>>> 79: 4. Use this token in your `.env` file
    80: 
    81: ### MCP Settings Configuration
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    64: ### Environment Variables
    65: 
>>> 66: Create a `.env` file in the root directory:
    67: 
    68: ```env
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    27: });
    28: // Add file transport in production
>>> 29: if (process.env.NODE_ENV === 'production') {
    30:     logger.add(new winston.transports.File({
    31:         filename: 'logs/error.log',
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    17:         service: 'mcp-atlassian',
    18:         version: process.env.npm_package_version || '2.0.0',
>>> 19:         environment: process.env.NODE_ENV || 'development',
    20:     },
    21:     transports: [
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    16:     defaultMeta: {
    17:         service: 'mcp-atlassian',
>>> 18:         version: process.env.npm_package_version || '2.0.0',
    19:         environment: process.env.NODE_ENV || 'development',
    20:     },
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    10: // Create winston logger instance
    11: const logger = winston.createLogger({
>>> 12:     level: process.env.LOG_LEVEL || 'info',
    13:     format: winston.format.combine(winston.format.timestamp({
    14:         format: 'YYYY-MM-DD HH:mm:ss',
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    25:     // Add proxy configuration using https-proxy-agent
    26:     const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy;
>>> 27:     const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy;
    28:     if (httpsProxy || httpProxy) {
    29:         const proxyUrl = httpsProxy || httpProxy;
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    30:         }
    31:     }
>>> 32:     if (process.env.INCLUDE_SECONDS) {
    33:         config.includeSeconds = process.env.INCLUDE_SECONDS.toLowerCase() === 'true';
    34:     }
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    25:     }
    26:     if (process.env.TIME_DISPLAY_FORMAT) {
>>> 27:         const format = process.env.TIME_DISPLAY_FORMAT.toLowerCase();
    28:         if (['short', 'long', 'mixed'].includes(format)) {
    29:             config.displayFormat = format;
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    31:     }
    32:     if (process.env.INCLUDE_SECONDS) {
>>> 33:         config.includeSeconds = process.env.INCLUDE_SECONDS.toLowerCase() === 'true';
    34:     }
    35:     return config;
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    24:     };
    25:     // Add proxy configuration using https-proxy-agent
>>> 26:     const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy;
    27:     const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy;
    28:     if (httpsProxy || httpProxy) {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4:     const baseURL = process.env.ATLASSIAN_BASE_URL;
    5:     const email = process.env.ATLASSIAN_EMAIL;
>>> 6:     const apiToken = process.env.ATLASSIAN_API_TOKEN;
    7:     if (!baseURL || !email || !apiToken) {
    8:         throw new Error('Missing required environment variables');
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���W���.�+r��b

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ������� i�'�*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r�ߊ•��{�%j�^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: j�Z�Ț��b���ױ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: j�Z�Ț��b���ױ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��'~[��ǿ��ݕ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��B�w���x+����Rǫ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: �+- �ߖ�q�iǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: v�'��� �ߖ�q�-��!���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r���ਝ�nzw=�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��Z�ਝ�nzw=�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: i�B�w���x*&���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: {h���nzw=�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highSC-003Suspicious CommandsMedium ConfidenceLine 0

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    75:         let match;
    76:         let processedHtml = html;
>>> 77:         while ((match = imgRegex.exec(html)) !== null) {
    78:             images.push({
    79:                 tag: match[0],
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���j���iE��1���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 26, 2026critical47
Feb 23, 2026critical47
Feb 22, 2026critical47