CVE-2025-5346 | THREATINT

Description

Bluebird devices contain a pre-loaded barcode scanner application. This application exposes an unsecured broadcast receiver "kr.co.bluebird.android.bbsettings.BootReceiver". A local attacker can call the receiver to overwrite file containing ".json" keyword with default barcode config file. It is possible to overwrite file in any location due to lack of protection against path traversal in name of the file. This issue affects all versions before 1.3.3.

PUBLISHED Reserved 2025-05-30 | Published 2025-07-17 | Updated 2025-07-17 | Assigner CERT-PL

MEDIUM: 5.1CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-926 Improper Export of Android Application Components

Product status

Default status

unaffected

Any version before 1.3.3

affected

Credits

Szymon Chadam finder

References

cert.pl/en/posts/2025/07CVE-2025-5344 third-party-advisory

cve.org (CVE-2025-5346)

nvd.nist.gov (CVE-2025-5346)

Download JSON