PT-2020-15234 · Quantconnect+1 · Quantconnect Lean+1
Raj-Kumar-Jo
·
Published
2020-12-14
·
Updated
2022-05-24
·
CVE-2020-20136
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
QuantConnect Lean versions 2.3.0.0 through 2.4.0.1
Description
The issue is related to an insecure deserialization vulnerability due to the insecure configuration of the
TypeNameHandling property in the Json.NET library. This vulnerability can be mitigated by only running the affected software in an environment where the provided data is trusted.Recommendations
For QuantConnect Lean versions 2.3.0.0 through 2.4.0.1, consider running the software in a trusted environment to minimize the risk of exploitation. As a temporary workaround, restrict the use of untrusted data in the Json.NET library until a patch is available.
Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jsonnet
Quantconnect Lean