CVE-2023-36551: 
FortiSIEM vulnerability analysis and mitigation

A sensitive information exposure vulnerability (CWE-200) was discovered in Fortinet FortiSIEM versions 6.7.0 through 6.7.5. The vulnerability allows an authenticated attacker to obtain the absolute path of files used by the supervisor through a crafted HTTP request, which could be dangerous if used in conjunction with other vulnerabilities (Fortinet Advisory, NVD).

The vulnerability is tracked as CVE-2023-36551 and has been assigned a CVSS v3.1 base score of 5.3 (Medium) by NIST and 4.3 (Medium) by Fortinet. The vulnerability stems from improper protection of sensitive information, specifically allowing exposure of absolute file paths used by the supervisor component. The attack requires network access and low privileges to exploit (NVD).

If successfully exploited, the vulnerability allows an authenticated attacker to obtain sensitive information about the system's file paths. While this information disclosure alone may seem minor, it could be leveraged in combination with other vulnerabilities to conduct more sophisticated attacks (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiSIEM version 7.0.0 or above, version 6.7.6 or above, or version 6.6.0 or above. All versions of FortiSIEM 7.3, 7.2, 7.1, 7.0, and versions 6.6 and earlier are not affected by this vulnerability (Fortinet Advisory).