This bug would never merit a CVE. The reply would be something like, "If you don't want to get pwned, just whitelist your params like the docs have said since 2008. Duh."
The value in what Homakov did was demonstrating that even extremely competent, experienced Rails developers don't always follow the docs. I'm not sure how anyone could do that without actually showing it in the wild.