CVE-2020-20136 – quantconnect.common

Package

Manager: nuget
Name: quantconnect.common
Vulnerable Version: >=2.3.0.0 <=2.4.0.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00326 pctl0.54912

Details

QuantConnect Lean vulnerable to insecure deserialization QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library. One may avoid this issue by only running Lean in an environment where data provided is trusted.

Metadata

Created: 2022-05-24T17:36:17Z
Modified: 2023-07-20T13:09:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ww7r-278h-48mh/GHSA-ww7r-278h-48mh.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-ww7r-278h-48mh
Finding: F096
Auto approve: 1