I wrote a script today to try and exploit this on our Grafana 8.1.2 instance but couldn't. Using Oauth for auth and only got 302 redirects back to the login page. Anyone else able to exploit this with Oauth?
It might be because of path normalization by your http client. For example, with `curl` you will also need to use `--path-as-is` to correctly test traversal. Another reason could be path normalization by the reverse proxy/WAF.
> --path-as-is
> Tell curl to not handle sequences of /../ or /./ in the given URL path. Normally curl will squash or merge
> --path-as-is
> Tell curl to not handle sequences of /../ or /./ in the given URL path. Normally curl will squash or merge
> them according to standards but with
>this option set you tell it not to do that.
> Added in 7.42.0.