So @Metlstorm has set me straight on this... Oracle tried to fix the path traversal bug in the WebLogic console (CVE-14882) by introducing a patch that blacklisted path traversal. They had good reason to do it in a hurry (attacks already in the wild). https://t.co/DMq5llMpI6
— Brett Winterford (@breditor) November 3, 2020