Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
atlassian14e5536372e2CONFSERVER-95999
HistoryJun 17, 2024 - 5:20 p.m.

Duplicate users when using pagination(start,limit parameter) in GET /rest/api/user/list REST API call.

2024-06-1717:20:11
14e5536372e2
jira.atlassian.com
2
data center
confluence instance
pagination
api call
user list
duplicate users

7.3 High

AI Score

Confidence

High

JSON

h3. Issue Summary

When pagination(start, limit parameter) is used in a GET /rest/api/user/list REST API call, duplicate users are observed.

This is reproducible on Data Center: yes
h3. Steps to Reproduce

On a Confluence instance with multiple users from external and internal directories, run the following command to get the user list using pagination. The following command should return only 5 users starting from 0.

{code:java}
% curl -s --header ‘Accept: application/json’ -u <username:password> ‘<confluence-base-url>/rest/api/user/list?start=0&limit=5’|jq|egrep ‘username|next|prev’{code}

Run the above command using the next url given in the output, and we can see duplicate users.

{code:java}
% curl -s --header ‘Accept: application/json’ -u <username:password> ‘<confluence-base-url>/rest/api/user/list?start=5&limit=5’|jq|egrep ‘username|next|prev’ {code}

The same behavior can be seen for other values of limit and start.

The total number of users returned by all the commands will equal the number of users in the Confluence instance. However, duplicate users will prevent some users from being displayed in the command results.

For example, if there are 100 distinct users in a Confluence instance, and we use start as 0 and limit as 10, then we choose to get the 100 users in a batch of 10. In total, we have to run the curl command 10 times. But these 10 iterations will have duplicate users, so all 100 distinct users will not be retrieved.

h3. Expected Results

  • The next and previous url output should be different and should not show duplicate users.

h3. Actual Results

  • The output of the next and previous commands shows duplicate users. We can observe below user {}Administrator{}, {}Sapter{}, and Canter are repeated in the output.
    {code:java}
    curl -s --header ‘Accept: application/json’ -u <username:password> ‘<confluence-base-url>/rest/api/user/list?start=0&limit=5’|jq|egrep ‘username|next|prev’
    “username”: “admin”,
    “username”: “Dora”,
    “username”: “Administrator”,
    “username”: “Sapter”,
    “username”: “Canter”,
    “next”: “/rest/api/user/list?limit=5&start=5”,

curl -s --header ‘Accept: application/json’ -u <username:password> ‘<confluence-base-url>/rest/api/user/list?start=5&limit=5’|jq|egrep ‘username|next|prev’
“username”: “EasaW”,
“username”: “FourD”,
“username”: “Administrator”,
“username”: “Sapter”,
“username”: “Canter”,
“next”: “/rest/api/user/list?limit=5&start=10”,
“prev”: “/rest/api/user/list?limit=5&start=0”,
{code}

h3. Workaround

Currently, there is no known workaround for this behavior. A workaround will be added here when available.

Affected configurations

Vulners
Node
atlassianconfluence_data_centerRange8.5.9
OR
atlassianconfluence_data_centerRange8.5.11
OR
atlassianconfluence_data_centerRange8.9.3
OR
atlassianconfluence_data_centerRange7.19.24

7.3 High

AI Score

Confidence

High

JSON