CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
77.9%
A flaw was found in python. In algorithms with quadratic time complexity
using non-binary bases, when using int(“text”), a system could take 50ms to
parse an int string with 100,000 digits and 5s for 1,000,000 digits (float,
decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32
are not affected). The highest threat from this vulnerability is to system
availability.
Author | Note |
---|---|
alexmurray | The upstream patch for this issue now limits the input string for int() to 5000 digits - this is a breaking change but very unlikely to cause a regression since it is highly unlikely there is code handling such large numbers since as noted in the upstream commit, “total amount of protons in the observable universe is known as Eddington number. That number has 80 digits.” - so 5000 digits out to be enough for anyone |
eslerm | ongoing discourse on https://discuss.python.org LWN reports patch causes regressions |
discuss.python.org/t/int-str-conversions-broken-in-latest-python-bugfix-releases/18889
github.com/python/cpython/issues/96834
github.com/python/cpython/pull/96499
launchpad.net/bugs/cve/CVE-2020-10735
lwn.net/Articles/907572/
nvd.nist.gov/vuln/detail/CVE-2020-10735
seclists.org/oss-sec/2022/q3/215
security-tracker.debian.org/tracker/CVE-2020-10735
www.cve.org/CVERecord?id=CVE-2020-10735