I have some specific requirements about patching systems based on Critical vs Important vs all else (Moderate & Low). While the security team references CVEs I have based my actions on the RHSA ratings that reference the CVEs.

I've not run across one like this (that I can recall and shout out to the rhsecapi creator):

rhsecapi --q-advisory RHSA-2020:5439

[NOTICE ] rhsda: 3 CVEs found with search query

CVE ID PUB DATE BUGZILLA SEVERITY CVSS2 CVSS3 RHSAS PKGS
CVE-2020-14323 2020-10-29 1891685 moderate 5.0 1 1
CVE-2020-14318 2020-10-29 1892631 moderate 4.3 1 1
CVE-2020-1472 2020-09-11 1879822 critical 9.8 1 1

Since the RHSA was moderate no out of cycle effort was made to apply the fix. However it contains a CVE that even RH affirms is Critical. I had thought the RHSA usually matches the highest CVE rating.

I can go back to Security and say "well RH rated their fix as a Moderate", but they can say "yeah but RH rated the CVE as critical. " I'm wondering if this was a mistake, or is a common situation that I've just not registered before.