The package sox is present in RHEL AI 1.4. It is not in RHEL AI 1.5, but the git branch exists, and it is planned to be in 2.0.

We have it at version 14.4.2 , same as EPEL9 and Fedora. cvedetails.com lists a total of 9 CVEs that may affect it. They are listed as affecting 3 different versions separately:

 Under version 14.4.2:
CVE-2022-31651
CVE-2022-31650
 
Under version 14.4.2-7:
CVE-2021-33844 - RH assessed as not affecting RHEL5 or RHEL7
CVE-2021-23210 - RH assessed as not affecting RHEL5 or RHEL7
CVE-2021-23172 - RH listed as "out of support scope" for RHEL5 & RHEL7 (even though advisory was published in 2021, during RHEL7's lifecycle)
CVE-2021-23159 - RH listed as "out of support scope" for RHEL5 & RHEL7 (even though advisory was published in 2021, during RHEL7's lifecycle)

Under version 14.4.3:
CVE-2023-34318 - RH listed as "out of support scope" for RHEL6 & RHEL7 (even though advisory was published in 2023, during RHEL7's lifecycle)

CVE-2023-32627 - RH listed as "out of support scope" for RHEL6 & RHEL7 (even though advisory was published in 2023, during RHEL7's lifecycle)
CVE-2023-26590 - RH listed as "out of support scope" for RHEL6 & RHEL7 (even though advisory was published in 2023, during RHEL7's lifecycle)