CVE-2020-10735: Incorrect Type Cast
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.frombytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
Other sources
A vulnerability was found in PyLongFromString() in Python, which is used by int("text"). For non-binary bases it uses an algorithm with quadratic time complexity to convert a string into an arbitrary precision number. It takes about 50ms to parse an int string with 100,000 digits and about 5sec for 1,000,000 digits. The float type, decimal type, int.frombytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected.
— Red Hat
Python is vulnerable to a denial of service, caused by the failure to limit amount of digits converting text to int by the int() type in PyLongFromString(). A remote attacker could exploit this vulnerability to consume all available resources.
— IBM
Affected Software
Remediation
Patch Available
Event History
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
What is the vulnerability ID of this flaw in python?
The vulnerability ID of this flaw in python is CVE-2020-10735.
What is the severity of CVE-2020-10735?
The severity of CVE-2020-10735 is high (7.5).
Which versions of Python are affected by CVE-2020-10735?
Versions 3.7.0 to 3.7.14, 3.8.0 to 3.8.14, and 3.9.0 to 3.9.14 of Python are affected by CVE-2020-10735.
How can I fix CVE-2020-10735?
To fix CVE-2020-10735, you should update Python to version 3.6.8-48.el8_7.1, 3.9.10-3.el9_0, or 3.8.14-1.el7 (depending on your operating system).
Where can I find more information about CVE-2020-10735?
You can find more information about CVE-2020-10735 on the Red Hat Bugzilla website: [Link](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2124161).