CVE-2023-52096 in ocpp-jaxb
Summary
by MITRE • 12/27/2023
SteVe Community ocpp-jaxb before 0.0.8 generates invalid timestamps such as ones with month 00 in certain situations (such as when an application receives a StartTransaction Open Charge Point Protocol message with a timestamp parameter of 1000000). This may lead to a SQL exception in applications, and may undermine the integrity of transaction records.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/19/2024
The vulnerability CVE-2023-52096 affects the SteVe Community ocpp-jaxb library version 0.0.8 and earlier, which is commonly used in electric vehicle charging infrastructure implementations. This issue stems from improper timestamp validation and generation within the Open Charge Point Protocol message processing framework. The flaw manifests when applications receive StartTransaction messages containing malformed timestamp parameters, specifically those with invalid month values of 00, creating a scenario where the system attempts to process timestamps that fall outside standard calendar conventions. This represents a classic data validation failure that can cascade into broader system stability issues within charging station networks that rely on proper timestamp integrity for transaction logging and billing purposes.
The technical implementation flaw resides in the timestamp parsing and validation logic within the ocpp-jaxb library, which fails to properly validate incoming timestamp parameters against standard datetime formats. When a StartTransaction message contains a timestamp parameter of 1000000, the library's timestamp generation mechanism produces invalid outputs with month values of 00, which violates standard datetime formatting conventions. This type of vulnerability maps directly to CWE-707, representing improper neutralization of special elements used in a different syntax context, and specifically relates to CWE-606, which addresses unvalidated input being used in later operations. The underlying issue demonstrates poor input sanitization and validation practices that are fundamental to secure coding standards.
The operational impact of this vulnerability extends beyond simple timestamp generation failures to potentially compromise entire transaction processing workflows within charging station networks. Applications that rely on the affected library may encounter SQL exceptions when attempting to store transaction records containing invalid timestamps, leading to transaction rollbacks, data integrity issues, and potential service disruptions. The vulnerability undermines the integrity of transaction records by introducing inconsistent timestamp data that can affect billing accuracy, audit trails, and compliance reporting within electric vehicle charging infrastructure. This represents a significant concern for organizations managing large charging networks where transaction data accuracy is critical for revenue processing and regulatory compliance.
Mitigation strategies for CVE-2023-52096 should prioritize immediate library version updates to 0.0.8 or later, which contain the necessary timestamp validation fixes. Organizations should implement comprehensive input validation at multiple layers of their charging infrastructure stack, including application-level timestamp verification and database-level constraints to prevent invalid timestamp values from being stored. Network monitoring solutions should be enhanced to detect and alert on malformed timestamp patterns within OCPP messages, while security teams should conduct thorough vulnerability assessments of all systems utilizing the affected library. Additionally, implementing proper error handling and graceful degradation mechanisms can help prevent complete service failures when invalid timestamps are encountered. The remediation process should also include reviewing and updating security policies to ensure proper timestamp validation procedures are integrated into development lifecycle practices, aligning with NIST SP 800-53 security controls for input validation and data integrity protection.