Undefined Description
Prior to 2022/03/16 Clair was unable to detect this expat vulnerability in RHEL8. Since a fix was added on the 16th, Clair can now pick up the vulnerability from the OVAL DB and it correctly matches against it.
The issue appears to be that unpatched vulnerabilities don't show up in the -including-unpatched OVAL DB variant and therefore Clair has no record of it. The indexing is detecting the vulnerable package fine.
Relevant CVE: https://access.redhat.com/security/cve/CVE-2022-25235