CVE-2025-5346— File removal via path traversal in unsecured broadcast receiver in Bluebird barcode scanner application
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-5346
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
File removal via path traversal in unsecured broadcast receiver in Bluebird barcode scanner application
Source: NVD (National Vulnerability Database)
Vulnerability Description
Bluebird devices contain a pre-loaded barcode scanner application. This application exposes an unsecured broadcast receiver "kr.co.bluebird.android.bbsettings.BootReceiver". A local attacker can call the receiver to overwrite file containing ".json" keyword with default barcode config file. It is possible to overwrite file in any location due to lack of protection against path traversal in name of the file. This issue affects all versions before 1.3.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-926
Source: NVD (National Vulnerability Database)
Vulnerability Title
Bluebird 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Bluebird是韩国蓝鸟(Bluebird)公司的一款用于将设备锁定为专用模式,限制用户只能访问指定功能或应用的应用程序。 Bluebird 1.3.3之前版本存在安全漏洞,该漏洞源于条码扫描器应用暴露不安全广播接收器,可能导致任意位置文件覆盖。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Bluebird | kr.co.bluebird.android.bbsettings | 0 ~ 1.3.3 | - |
II. Public POCs for CVE-2025-5346
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-5346
请登录查看更多情报信息。
Same Patch Batch · Bluebird · 2025-07-17 · 3 CVEs total
| CVE-2025-5345 | Exposed AIDL service allowing to read and delete files with system-level privileges in Blu | |
| CVE-2025-5344 | Exposed AIDL service allowing for tampering of system secure settings in Bluebird kiosk ap |
IV. Related Vulnerabilities
Same weakness: CWE-926
- CVE-2026-3291
Samsung Print Service Plugin – Potential Information Disclos - CVE-2025-15464
KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Acces - CVE-2025-14517
Yalantis uCrop AndroidManifest.xml UCropActivity improper e - CVE-2025-10722
SKTLab Mukbee App com.dw.android.mukbee AndroidManifest.xml - CVE-2025-10721
Webull Investing & Trading App AndroidManifest.xml improper
V. Comments for CVE-2025-5346
No comments yet