THIS IS STILL BEING INVESTIGATED BY THE QA.

Steps to reproduce:

Part 1. Configuration

1. Log in as admin

2. Go to https://<YOUR_INSTANCE>.atlassian.net/jira/projects?page=1&sortKey=name&sortOrder=ASC

3. Click Create space

4. Select any space from Software development tab -> Use template -> Select a team-managed space

5. Fill all required fields and set Access value to Private (not available on a free plan, you will see a link to upgrade plan on a free plan)

6. Click Next

7. On the Bring your team along do not invite any users and click Skip

8. Click Continue

9. Create an issue in the created space

10. Open the created issue and add a comment

11. Go to requests history and find there a request to /gateway/api/graphql/pq/420aabd5be18777f23f5d63737935c48c5277910aeb87b94825fde118663914c?operation=useSaveCommentRelayAddCommentMutation, get the issue id from the issueId value in the request body (looks like ari:cloud:jira:<CLOUD_ID>:issue/<ISSUE_ID>")

Part 2. Unauthorized access

1. Log in as non-admin and ensure that you do not have access to the issue in the restricted project

2. Open any issue that you can access

3. Click ... in the top right corner -> Create External Share

4. When the page is loaded, go to requests history in Burp Suite and find there a POST request to /api/share, send it to Repeater

5. Change the issueId value in the request body to the value from step 11 of part 1 and process the request

6. In the response you will get the issue title in field name