libocpp Denial-of-Service Vulnerability Allowing EVerest Crash
Vulnerability
A denial-of-service vulnerability has been identified in libocpp versions prior to 0.28.0. The issue arises during the generation of error messages, where a secondary exception is inadvertently thrown. This can lead to a crash in the EVerest application.
Impact
Exploitation of this vulnerability causes a crash in the EVerest application, disrupting its normal operation.
Reproduction
The vulnerability can be reproduced by sending certain malformed messages to a charge point implemented with an affected version of libocpp. When these messages are parsed, they generate JSON exceptions. If these exceptions are reported to the Central System Management Service (CSMS) as part of a CallError, a secondary parsing exception occurs. This secondary exception can be caught and handled, but if it is not, it will lead to a crash.
Remediation
Users can upgrade to libocpp version 0.28.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.