On January 8th, Aaron Patterson announced CVE-2013-0156, multiple vulnerabilities in parameter parsing in Action Pack allowing attackers to:
Bypass Authentication systems
Inject Arbitrary SQL
Perform a Denial of Service (DoS)
Execute arbitrary code
That means that anyone running Ruby on Rails is advised to update to the latest version, as not doing so could lead to a compromise.