CVE-2020-20136: Deserialization of Untrusted Data

May 24, 2022 (updated July 20, 2023)

QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library.

References

github.com/QuantConnect/Lean/issues/3537
github.com/advisories/GHSA-ww7r-278h-48mh
nvd.nist.gov/vuln/detail/CVE-2020-20136

Detect and mitigate CVE-2020-20136 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →