Summary

Autodesk has been made aware of two issues related to the Autodesk Customer Portal. The first issue allows users who no longer have an active license for an account to access support cases for that account. The second issue allows users on an account to access case data created by other users on the same account.

Details

This advisory is about access to support case data via the Autodesk Customer Portal for all Autodesk products, specifically where support cases are managed. After review, Autodesk discovered two data protection issues with the existing mechanism that manages user access to cases and is introducing two enhanced controls to address them.

Enhanced Control #1

CURRENT STATE - Customer Portal users who no longer have an active Autodesk license can still view cases for an account associated with the expired license when they are granted a new Autodesk license for a new account.

Example: Cindy is employed at Acme company and is allocated an Autodesk license and access to the Customer Portal. Cindy now has access to Acme’s support cases via the Customer Portal. Cindy leaves Acme company and joins Omega company, where she is given an Autodesk license. In this scenario, Cindy has access to both Acme and Omega’s cases, even though she only has one active license for Omega.

RESOLUTION – Effective immediately, users of the Autodesk Customer Portal will have access to the Portal and any support cases in it only for the account for which they have a valid Autodesk license. No further action needs to be taken by Autodesk customers. This resolution is automatically applied.

Enhanced Control #2

CURRENT STATE - By default, all users who have an active Autodesk license can view and manage all support cases created by all users for the same account.

RESOLUTION – Via the Customer Portal, Contract Managers can choose to restrict support case access such that users can only view and manage their own cases within that account. This manual step removes the ability for users to see support cases created by others in the account. Note that only Contract Managers can choose to restrict access to support cases for all users in an account. The ability to manage case access at the user level will be available in the near future.

To take advantage of this optional enhanced control, please follow the steps 1-6 outlined below.

Steps to update the default setting:

1. Login to the Autodesk Customer Portal

2. Click on “Manage your cases.”

3. Navigate to the “View Cases” tab.

4. In the “Accounts” dropdown, select the account for which you’d like to change the default setting.

5. Check the “Restrict ability to view cases created by other users on this account.”

6. Complete this for every account you wish to restrict access.

Revision History

Revision: 1.0

Date: 10/19/2023

Description: Initial Release of the Security Advisory

Disclaimer

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.