Aug 19, 2014 - Jacob Vosmaer

GitLab not affected by Rails vulnerability CVE-2014-3514

Yesterday the developers of Ruby on Rails released a security advisory for parameter injection vulnerability CVE-2014-3514. GitLab is not affected by this vulnerability.

Background

CVE-2014-3514 affects applications which pass unsanitized user input to the ActiveRecord create_with method. GitLab 7.1 nor its dependencies use create_with. GitLab 7.2 (to be released) does use create_with in two locations, but neither of those two call sites passes user input to the method.

We would like to thank Robert Schilling and Jeroen van Baarsen of the GitLab core team for their assistance in investigating this issue.

Please contact us at support@gitlab.com if you have any questions about this issue.

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.