QuantConnect Lean vulnerable to insecure deserialization

GHSA-ww7r-278h-48mh · CVE-2020-20136

Published May 24, 2022 · Modified Feb 16, 2024

Description

QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library. One may avoid this issue by only running Lean in an environment where data provided is trusted.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-20136
WEB https://github.com/QuantConnect/Lean/issues/3537
PACKAGE https://github.com/QuantConnect/Lean

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes