CVE-2023-41146: Security Advisories | Autodesk Trust Center

This advisory is about access to support case data via the Autodesk Customer Portal for all Autodesk products, specifically where support cases are managed. After review, Autodesk discovered two data protection issues with the existing mechanism that manages user access to cases and is introducing two enhanced controls to address them.

Enhanced Control #1

CURRENT STATE - Customer Portal users who no longer have an active Autodesk license can still view cases for an account associated with the expired license when they are granted a new Autodesk license for a new account.

Example:
Cindy is employed at Acme company and is allocated an Autodesk license and access to the Customer Portal. Cindy now has access to Acme’s support cases via the Customer Portal. Cindy leaves Acme company and joins Omega company, where she is given an Autodesk license. In this scenario, Cindy has access to both Acme and Omega’s cases, even though she only has one active license for Omega.

RESOLUTION – Effective immediately, users of the Autodesk Customer Portal will have access to the Portal and any support cases in it only for the account for which they have a valid Autodesk license. No further action needs to be taken by Autodesk customers. This resolution is automatically applied.

Enhanced Control #2

CURRENT STATE - By default, all users who have an active Autodesk license can view and manage all support cases created by all users for the same account.

RESOLUTION – Via the Customer Portal, Contract Managers can choose to restrict support case access such that users can only view and manage their own cases within that account. This manual step removes the ability for users to see support cases created by others in the account. Note that only Contract Managers can choose to restrict access to support cases for all users in an account. The ability to manage case access at the user level will be available in the near future.

To take advantage of this optional enhanced control, please follow the steps 1-6 outlined below.

Steps to update the default setting:

1. Login to the Autodesk Customer Portal
2. Click on “Manage your cases.”
3. Navigate to the “View Cases” tab.
4. In the “Accounts” dropdown, select the account for which you’d like to change the default setting.
5. Check the “Restrict ability to view cases created by other users on this account.”
6. Complete this for every account you wish to restrict access.