CVE-2025-5346
BaseFortify
Publication date: 2025-07-17
Last updated on: 2025-07-17
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bluebird | barcode_scanner_application | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-926 | The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Bluebird devices' pre-loaded barcode scanner application, which exposes an unsecured broadcast receiver named "kr.co.bluebird.android.bbsettings.BootReceiver". A local attacker can invoke this receiver to overwrite files containing the ".json" keyword with the default barcode configuration file. Due to a lack of protection against path traversal in the file name, it is possible to overwrite files in any location on the device.
How can this vulnerability impact me? :
The vulnerability allows a local attacker to overwrite arbitrary files on the device by exploiting the unsecured broadcast receiver and path traversal flaw. This could lead to unauthorized modification of configuration files or other important files, potentially disrupting device functionality or enabling further attacks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Bluebird barcode scanner application to version 1.3.3 or later, as all versions before 1.3.3 are affected. Additionally, restrict local access to the device to prevent attackers from calling the unsecured broadcast receiver and exploiting the path traversal vulnerability.