CVE-2008-0227

Exp

yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allows remote attackers to cause a denial of service (crash) via a Hello packet containing a large size value, which triggers a buffer over-read in the HASHwithTransform::Update function in hash.cpp.

Published: 2008-01-10 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-0227 is rated High Exploit Risk (75.4/100): CVSS High severity, with high exploitation likelihood (EPSS 5.49%, 90th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2008-0227

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2008-0227

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-18 6.59% 5.49% -1.10%
2 2026-02-04 5.84% 6.59% +0.75%
3 2025-03-30 5.84%

Full EPSS history (15 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-0227

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2008-0227

OS Trackers for CVE-2008-0227

vendor priority summary link
redhat https://access.redhat.com/security/cve/CVE-2008-0227
ubuntu low CVE-2008-0227 low priority: Ubuntu including 2 source packages (mysql-dfsg-4.1, mysql-dfsg-5.0), 18 status rows across 9 suites (dapper, edgy, feisty, gutsy, hardy, intrepid, jaunty, karmic, upstream): DNE 6, not-affected 4, released 4, ignored 2, needed 1, needs-triage 1. https://ubuntu.com/security/CVE-2008-0227

Vendor comments (NVD) for CVE-2008-0227

  • Red Hat (2008-01-11T00:00:00)

    Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support.

Affected software / configurations for CVE-2008-0227

Vendor Product Version Raw CPE
yassl yassl <= 1.7.5 cpe:2.3:a:yassl:yassl:*:*:*:*:*:*:*:*

References for CVE-2008-0227

URL Tags
http://bugs.mysql.com/33814
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
http://secunia.com/advisories/28324 Vendor Advisory
http://secunia.com/advisories/28597
http://secunia.com/advisories/29443
http://secunia.com/advisories/32222
http://securityreason.com/securityalert/3531
http://support.apple.com/kb/HT3216
http://www.debian.org/security/2008/dsa-1478
http://www.mandriva.com/security/advisories?name=MDVSA-2008:150
http://www.securityfocus.com/archive/1/485810/100/0/threaded
http://www.securityfocus.com/bid/27140 Exploit
http://www.securityfocus.com/bid/31681
http://www.ubuntu.com/usn/usn-588-1
http://www.vupen.com/english/advisories/2008/0560/references
http://www.vupen.com/english/advisories/2008/2780
https://exchange.xforce.ibmcloud.com/vulnerabilities/39433
cvelogic Threat Intelligence