CVE-2020-10735 — Incorrect Type Conversion or Cast in Python
Severity
7.5HIGHNVD
EPSS
0.4%
top 40.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 9
Latest updateJul 15
Description
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
Also affects: Fedora 35, 36, 37, Enterprise Linux 8.0
Patches
🔴Vulnerability Details
3📋Vendor Advisories
5Oracle
▶
Microsoft▶
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases when using int("text") a system could take 50ms to parse an int string with 100000 digits and 5s for 100↗2022-09-13
Red Hat▶
python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS↗2022-09-02
Debian▶
CVE-2020-10735: pypy3 - A flaw was found in python. In algorithms with quadratic time complexity using n...↗2020
💬Community
1Bugzilla▶
CVE-2020-10735 python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS↗2020-05-11