Vulnerability severity is sometimes not updated when advisories have a new severity assigned

Summary

When an advisory is published without a severity and then later updated, the vulnerabilities created by continuous vulnerability scanning do not have their severity updated.

Continuation from https://gitlab.com/gitlab-org/gitlab/-/issues/548208:

When I look at the source of this advisory I see the CVSS vector pointing to high. This explains why Gemnasium generated a vulnerability with High vulnerability.

Then when I check the PMDB data that are exported

Click to expand 
grep -r -i "CVE-2024-52798"                
./1740556945/000000000.ndjson:{"advisory":{"id":"1e75e0d7-8ca6-4776-ab76-bf03bcce492d","source":"glad","title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","description":"The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296","published_date":"2024-12-05","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-52798","https://github.com/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4","https://blakeembrey.com/posts/2024-09-web-redos","https://github.com/pillarjs/path-to-regexp","https://security.netapp.com/advisory/ntap-20250124-0002"],"identifiers":[{"type":"cve","name":"CVE-2024-52798","value":"CVE-2024-52798","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52798"},{"type":"ghsa","name":"GHSA-rhx6-c78j-4q9w","value":"GHSA-rhx6-c78j-4q9w","url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"},{"type":"cwe","name":"CWE-1333","value":"1333","url":"https://cwe.mitre.org/data/definitions/1333.html"},{"type":"cwe","name":"CWE-937","value":"937","url":"https://cwe.mitre.org/data/definitions/937.html"},{"type":"cwe","name":"CWE-1035","value":"1035","url":"https://cwe.mitre.org/data/definitions/1035.html"}]},"packages":[{"name":"path-to-regexp","purl_type":"npm","affected_range":"<0.1.12","solution":"Upgrade to version 0.1.12 or above.","fixed_versions":["0.1.12"]}]}
./1749020543/000000000.ndjson:{"advisory":{"id":"1e75e0d7-8ca6-4776-ab76-bf03bcce492d","source":"glad","title":"path-to-regexp contains a ReDoS","description":"The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally reported in CVE-2024-45296","cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","published_date":"2024-12-05","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-52798","https://github.com/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4","https://blakeembrey.com/posts/2024-09-web-redos","https://github.com/pillarjs/path-to-regexp","https://security.netapp.com/advisory/ntap-20250124-0002"],"identifiers":[{"type":"cve","name":"CVE-2024-52798","value":"CVE-2024-52798","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52798"},{"type":"ghsa","name":"GHSA-rhx6-c78j-4q9w","value":"GHSA-rhx6-c78j-4q9w","url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"},{"type":"cwe","name":"CWE-1333","value":"1333","url":"https://cwe.mitre.org/data/definitions/1333.html"},{"type":"cwe","name":"CWE-937","value":"937","url":"https://cwe.mitre.org/data/definitions/937.html"},{"type":"cwe","name":"CWE-1035","value":"1035","url":"https://cwe.mitre.org/data/definitions/1035.html"}]},"packages":[{"name":"path-to-regexp","purl_type":"npm","affected_range":"<0.1.12","solution":"Upgrade to version 0.1.12 or above.","fixed_versions":["0.1.12"]}]}
./1742976143/000000000.ndjson:{"advisory":{"id":"1e75e0d7-8ca6-4776-ab76-bf03bcce492d","source":"glad","title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","description":"The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296","published_date":"2024-12-05","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-52798","https://github.com/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4","https://blakeembrey.com/posts/2024-09-web-redos","https://github.com/pillarjs/path-to-regexp","https://security.netapp.com/advisory/ntap-20250124-0002"],"identifiers":[{"type":"cve","name":"CVE-2024-52798","value":"CVE-2024-52798","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52798"},{"type":"ghsa","name":"GHSA-rhx6-c78j-4q9w","value":"GHSA-rhx6-c78j-4q9w","url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"},{"type":"cwe","name":"CWE-1333","value":"1333","url":"https://cwe.mitre.org/data/definitions/1333.html"},{"type":"cwe","name":"CWE-937","value":"937","url":"https://cwe.mitre.org/data/definitions/937.html"},{"type":"cwe","name":"CWE-1035","value":"1035","url":"https://cwe.mitre.org/data/definitions/1035.html"}]},"packages":[{"name":"path-to-regexp","purl_type":"npm","affected_range":"<0.1.12","solution":"Upgrade to version 0.1.12 or above.","fixed_versions":["0.1.12"]}]}
./1739885462/000000000.ndjson:{"advisory":{"id":"1e75e0d7-8ca6-4776-ab76-bf03bcce492d","source":"glad","title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","description":"The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296","published_date":"2024-12-05","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-52798","https://github.com/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4","https://blakeembrey.com/posts/2024-09-web-redos","https://github.com/pillarjs/path-to-regexp","https://security.netapp.com/advisory/ntap-20250124-0002"],"identifiers":[{"type":"cve","name":"CVE-2024-52798","value":"CVE-2024-52798","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52798"},{"type":"ghsa","name":"GHSA-rhx6-c78j-4q9w","value":"GHSA-rhx6-c78j-4q9w","url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"},{"type":"cwe","name":"CWE-1333","value":"1333","url":"https://cwe.mitre.org/data/definitions/1333.html"},{"type":"cwe","name":"CWE-937","value":"937","url":"https://cwe.mitre.org/data/definitions/937.html"},{"type":"cwe","name":"CWE-1035","value":"1035","url":"https://cwe.mitre.org/data/definitions/1035.html"}]},"packages":[{"name":"path-to-regexp","purl_type":"npm","affected_range":"<0.1.12","solution":"Upgrade to version 0.1.12 or above.","fixed_versions":["0.1.12"]}]}
./1744959741/000000000.ndjson:{"advisory":{"id":"1e75e0d7-8ca6-4776-ab76-bf03bcce492d","source":"glad","title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","description":"The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296","published_date":"2024-12-05","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-52798","https://github.com/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4","https://blakeembrey.com/posts/2024-09-web-redos","https://github.com/pillarjs/path-to-regexp","https://security.netapp.com/advisory/ntap-20250124-0002"],"identifiers":[{"type":"cve","name":"CVE-2024-52798","value":"CVE-2024-52798","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52798"},{"type":"ghsa","name":"GHSA-rhx6-c78j-4q9w","value":"GHSA-rhx6-c78j-4q9w","url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"},{"type":"cwe","name":"CWE-1333","value":"1333","url":"https://cwe.mitre.org/data/definitions/1333.html"},{"type":"cwe","name":"CWE-937","value":"937","url":"https://cwe.mitre.org/data/definitions/937.html"},{"type":"cwe","name":"CWE-1035","value":"1035","url":"https://cwe.mitre.org/data/definitions/1035.html"}]},"packages":[{"name":"path-to-regexp","purl_type":"npm","affected_range":"<0.1.12","solution":"Upgrade to version 0.1.12 or above.","fixed_versions":["0.1.12"]}]}
./1748242957/000000000.ndjson:{"advisory":{"id":"1e75e0d7-8ca6-4776-ab76-bf03bcce492d","source":"glad","title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","description":"The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296","published_date":"2024-12-05","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-52798","https://github.com/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4","https://blakeembrey.com/posts/2024-09-web-redos","https://github.com/pillarjs/path-to-regexp","https://security.netapp.com/advisory/ntap-20250124-0002"],"identifiers":[{"type":"cve","name":"CVE-2024-52798","value":"CVE-2024-52798","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52798"},{"type":"ghsa","name":"GHSA-rhx6-c78j-4q9w","value":"GHSA-rhx6-c78j-4q9w","url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"},{"type":"cwe","name":"CWE-1333","value":"1333","url":"https://cwe.mitre.org/data/definitions/1333.html"},{"type":"cwe","name":"CWE-937","value":"937","url":"https://cwe.mitre.org/data/definitions/937.html"},{"type":"cwe","name":"CWE-1035","value":"1035","url":"https://cwe.mitre.org/data/definitions/1035.html"}]},"packages":[{"name":"path-to-regexp","purl_type":"npm","affected_range":"<0.1.12","solution":"Upgrade to version 0.1.12 or above.","fixed_versions":["0.1.12"]}]}
./1745650947/000000000.ndjson:{"advisory":{"id":"1e75e0d7-8ca6-4776-ab76-bf03bcce492d","source":"glad","title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","description":"The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296","published_date":"2024-12-05","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-52798","https://github.com/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4","https://blakeembrey.com/posts/2024-09-web-redos","https://github.com/pillarjs/path-to-regexp","https://security.netapp.com/advisory/ntap-20250124-0002"],"identifiers":[{"type":"cve","name":"CVE-2024-52798","value":"CVE-2024-52798","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52798"},{"type":"ghsa","name":"GHSA-rhx6-c78j-4q9w","value":"GHSA-rhx6-c78j-4q9w","url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"},{"type":"cwe","name":"CWE-1333","value":"1333","url":"https://cwe.mitre.org/data/definitions/1333.html"},{"type":"cwe","name":"CWE-937","value":"937","url":"https://cwe.mitre.org/data/definitions/937.html"},{"type":"cwe","name":"CWE-1035","value":"1035","url":"https://cwe.mitre.org/data/definitions/1035.html"}]},"packages":[{"name":"path-to-regexp","purl_type":"npm","affected_range":"<0.1.12","solution":"Upgrade to version 0.1.12 or above.","fixed_versions":["0.1.12"]}]}

I see various dates that this advisory has been updated. More specifically:

  • 1739885462 → February 18, 2025 at 14:31:02 (2025-02-18T13:31:02.000Z)
  • 1740556945 → February 26, 2025 at 09:02:25 (2025-02-26T08:02:25.000Z)
  • 1742976143 → March 26, 2025 at 09:02:23 (2025-03-26T08:02:23.000Z)
  • 1744959741 → April 18, 2025 at 09:02:21 (2025-04-18T07:02:21.000Z)
  • 1745650947 → April 26, 2025 at 09:02:27 (2025-04-26T07:02:27.000Z)
  • 1748242957 → May 26, 2025 at 09:02:37 (2025-05-26T07:02:37.000Z)
  • 1749020543 → June 4, 2025 at 09:02:23 (2025-06-04T07:02:23.000Z)

Severity level is extracted by cvss_v3 :

grep -r -i "CVE-2024-52798" | grep cvss_v3        
./1749020543/000000000.ndjson:{"advisory":{"id":"1e75e0d7-8ca6-4776-ab76-bf03bcce492d","source":"glad","title":"path-to-regexp contains a ReDoS","description":"The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally reported in CVE-2024-45296","cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","published_date":"2024-12-05","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-52798","https://github.com/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w","https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4","https://blakeembrey.com/posts/2024-09-web-redos","https://github.com/pillarjs/path-to-regexp","https://security.netapp.com/advisory/ntap-20250124-0002"],"identifiers":[{"type":"cve","name":"CVE-2024-52798","value":"CVE-2024-52798","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52798"},{"type":"ghsa","name":"GHSA-rhx6-c78j-4q9w","value":"GHSA-rhx6-c78j-4q9w","url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"},{"type":"cwe","name":"CWE-1333","value":"1333","url":"https://cwe.mitre.org/data/definitions/1333.html"},{"type":"cwe","name":"CWE-937","value":"937","url":"https://cwe.mitre.org/data/definitions/937.html"},{"type":"cwe","name":"CWE-1035","value":"1035","url":"https://cwe.mitre.org/data/definitions/1035.html"}]},"packages":[{"name":"path-to-regexp","purl_type":"npm","affected_range":"<0.1.12","solution":"Upgrade to version 0.1.12 or above.","fixed_versions":["0.1.12"]}]}

So it seems that on June 4th the cvss_v3 field was added. Indeed I can see that in GLAD. Before that date there was no vector and this would result in an UNKNOWN severity.

My educated assumption is that for some reason the Rails instance doesn't have the most up to date data. So what happens is the following:

  • Gemnasium runs. Downloads the latest GLAD and creates a vulnerability of HIGH severity since it uses latest data.
  • Vulnerability is created as HIGH.
  • CVS runs and creates it with UNKNOWN

Steps to reproduce

Example Project

What is the current bug behavior?

The vulnerability has the severity of "Unknown".

What is the expected correct behavior?

The vulnerability's severity should be "High".

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Patch release information for backports

If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.

Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.

High-severity bug remediation

To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.