Vulnerabilities CVE-2024-43598 & sonatype-2024-013191 found in the latest v4.5.0

[OlgasAcc]

Description

Hello,
Our Sonatype security scanner has detected CVE sonatype-2024-013191 and https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43598 in the latest version of the lightgbm– v4.5.0 (and in the current version we use for our python services - v4.0.0).

Based on the Sonatype description, there is no non-vulnerable version available.
Could you please provide the necessary fix and release?

Thanks

[jameslamb]

Thanks for using LightGBM.

Please:

1. search the issues here before posting (this is identical to Status of CVE-2024-43598? #6750 )
2. do not post about security vulnerabilities publicly (see https://github.com/microsoft/LightGBM/blob/master/SECURITY.md)

A fix has been merged, we will try to do a release in the next few weeks.

The vulnerability only affects distributed (multi-machine) training, so if you don't do that you can safely ignore it.

[OlgasAcc]

Hi @jameslamb thanks a lot for the quick response and the fix. And my apologies for this confusion.
We'll be looking forward for the next released version of LightGBM.

Regards,
Olga

[MarkJacksonRG]

Please release it so the community can use the fix!

[OlgasAcc]

@jameslamb could you please provide ETA of the next release (which will contain the mentioned fix)? Thanks

[jameslamb]

We will do a release when we can. I do not have an ETA. We understand.

[github-actions]

This issue has been automatically locked since there has not been any recent activity since it was closed.
To start a new related discussion, open a new issue at https://github.com/microsoft/LightGBM/issues including a reference to this.