Headline
CVE-2023-49956: `StopTransaction`: a Transaction Can Be Stopped with Random Transaction ID · Issue #34 · dallmann-consulting/OCPP.Core
An issue was discovered in Dalmann OCPP.Core before 1.3.0 for OCPP (Open Charge Point Protocol) for electric vehicles. A StopTransaction message with any random transactionId terminates active transactions.
Issue Description:
The server allows a StopTransaction message to stop an active transaction using a random transactionId instead of requiring the specific transactionId assigned at the start of the transaction. This could potentially lead to unauthorized stopping of transactions.
Steps to Reproduce:
- Start a transaction using StartTransaction, receiving a valid transactionId.
- Send a StopTransaction message with a random transactionId instead of the one received in step 1.
- Observe that the transaction is stopped by the server.
Expected Behavior:
The StopTransaction message should be validated to ensure it includes the correct transactionId that was assigned at the start of the transaction, thereby binding the user to the specific transaction being stopped.
Actual Behavior:
The server stops an active transaction when a StopTransaction message is sent with any random transactionId.
Suggested Solution:
Implement strict validation on the server to only stop transactions when the StopTransaction message contains the correct transactionId provided at the beginning of the transaction.
I look forward to your input on this matter.
Best regards,
Gaetano Coppoletta