---
title: "GitLab not affected by Rails vulnerability CVE-2014-3514"
date: 2014-08-19
categories: company
author: Jacob Vosmaer
---

Yesterday the developers of Ruby on Rails released a [security advisory for parameter injection vulnerability CVE-2014-3514](https://groups.google.com/forum/#!topic/rubyonrails-security/M4chq5Sb540).
GitLab is not affected by this vulnerability.

## Background

CVE-2014-3514 affects applications which pass unsanitized user input to the ActiveRecord `create_with` method.
GitLab 7.1 nor its dependencies use `create_with`.
GitLab 7.2 (to be released) does use `create_with` in two locations, but neither of those two call sites passes user input to the method.

We would like to thank Robert Schilling and Jeroen van Baarsen of the [GitLab core team](/community/core-team/) for their assistance in investigating this issue.

Please contact us at support@gitlab.com if you have any questions about this issue.