RHSA is "moderate" but contains "critical" CVE
I have some specific requirements about patching systems based on Critical vs Important vs all else (Moderate & Low). While the security team references CVEs I have based my actions on the RHSA ratings that reference the CVEs.
I've not run across one like this (that I can recall and shout out to the rhsecapi creator):
rhsecapi --q-advisory RHSA-2020:5439
[NOTICE ] rhsda: 3 CVEs found with search query
CVE ID PUB DATE BUGZILLA SEVERITY CVSS2 CVSS3 RHSAS PKGS
CVE-2020-14323 2020-10-29 1891685 moderate 5.0 1 1
CVE-2020-14318 2020-10-29 1892631 moderate 4.3 1 1
CVE-2020-1472 2020-09-11 1879822 critical 9.8 1 1
Since the RHSA was moderate no out of cycle effort was made to apply the fix. However it contains a CVE that even RH affirms is Critical. I had thought the RHSA usually matches the highest CVE rating.
I can go back to Security and say "well RH rated their fix as a Moderate", but they can say "yeah but RH rated the CVE as critical. " I'm wondering if this was a mistake, or is a common situation that I've just not registered before.