CVE-2024-23139: 
Autodesk FBX Review vulnerability analysis and mitigation

CVE-2024-23139 is a critical vulnerability discovered in Autodesk FBX Review version 1.5.3.0 and prior versions. The vulnerability involves an Out-of-Bounds Write issue when parsing ActionScript Byte Code (ABC) files, which are created by the Flash compiler and contain executable code (Autodesk Advisory). The vulnerability was initially reported by Michael DePlante from Trend Micro's Zero Day Initiative team and was publicly disclosed on March 17, 2024 (ZDI Advisory).

The vulnerability is classified as an Out-of-Bounds Write (CWE-787) with a CVSS v3.1 base score of 7.8 HIGH (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The specific flaw exists within the parsing of ABC files and results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure (ZDI Advisory).

When exploited, this vulnerability can lead to multiple severe consequences including system crashes, data corruption, and arbitrary code execution in the context of the current process. The vulnerability could potentially expose design assets, project information, or personal user data (Security Online).

Autodesk has released version 1.5.4.0 to address this vulnerability. Users of affected versions are strongly recommended to apply the available hotfix through the Autodesk App Store. Users of previous versions that no longer qualify for full support should upgrade to a supported version as soon as possible (Autodesk Advisory).