CWE-120 on xgboost by dependency track

Hello.

I figured out what xgboost package does not pass Dependency Tracker. There is indicated CWE-120 (Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)).
I can not point the exact code snippet with vulnerability so far.

Is that known issue?

No. A more detailed report will be appreciated. For example, what is Dependency Tracker?

Thank you for replying.

Dependency Track: https://dependencytrack.org/
I am trying to get more specific information. As soon as I get it, I will provide here.

Guess this may be related:

• https://ossindex.sonatype.org/vuln/4dae2e0b-d6ea-48a1-a8f3-98cd9c865824?component-type=pypi&component-name=xgboost&utm_source=dependency-track&utm_medium=integration&utm_content=v3.8.0
• https://github.com/dmlc/xgboost/issues/1222