Privileges escalation to use "Import CSV" issues feature by user with not sufficient role

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2870330 by mateuszek on 2024-11-28, assigned to @ottilia_westerlund:

Report | How To Reproduce

Report

1. Description:
I can read in Gitlab docs related to Importing issues from CSV that:
You must have at least the Developer role for a project to import issues.
docs: https://docs.gitlab.com/ee/user/project/issues/csv_import.html

So in relation to this docs - Planner role is lower role than Developer - so we expect that the user with Planner role can't use the PoC feature BUT he can - Privileges escalation to use "Import CSV" issues feature by user with not sufficient role

2. Scenario:

2.1. Actors:
User A - attacker - user with Planner role in the public project of public group

2.2. Steps:

1. User A - go to public project issues: Plan -> Issues then click three dots menu and then click Import CSV then choose the file csv file with issue and click Import - you should successfully import the issue - Privileges escalation to use "Import CSV" issues feature by user with not sufficient role

Example csv file with issue content:

title,description  
test4,test4  

Best regards,
Mateusz

Impact

• Privileges escalation to use "Import CSV" issues feature by user with not sufficient role

How To Reproduce

Please add reproducibility information to this section: