GHSA-ww7r-278h-48mh

Suggest an improvement
Source
https://github.com/advisories/GHSA-ww7r-278h-48mh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ww7r-278h-48mh/GHSA-ww7r-278h-48mh.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-ww7r-278h-48mh
Aliases
Published
2022-05-24T17:36:17Z
Modified
2023-11-01T04:52:15.957254Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
QuantConnect Lean vulnerable to insecure deserialization
Details

QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library. One may avoid this issue by only running Lean in an environment where data provided is trusted.

Database specific
{
    "nvd_published_at": "2020-12-14T19:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-20T13:09:39Z"
}
References

Affected packages

NuGet / QuantConnect.Common

Package

Name
QuantConnect.Common
View open source insights on deps.dev
Purl
pkg:nuget/QuantConnect.Common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0.0
Last affected
2.4.0.1

Affected versions

2.*

2.4.0.1-unofficial