Confused deputy problem for databases: a method for privilege escalation in MariaDB

Date and time

  • Saturday 3 February, 14:30 – 15:15 EET (UTC+3)


Operation systems had a confused deputy based privilege escalations for ages. But does it exist in a database? In the session I will demonstrate a number of cases where a simple select can be used to escalate a privilege inside the MariaDB database

Alexander Rubin, Amazon Web Services

Alexander is a Principal Security Engineerat Amazon Web Services (AWS), leading RDS Red Team.

Alexander was working as MySQL principal consultant/architect for over 15 years, started with MySQL AB in 2006 (company behind MySQL database), Sun Microsystems, Oracle and then Percona. His security pentest/red teaming interest started with playing CTFs and performing opensource security research. Alexander is leading RDS (relational database as a service) Red Team at Amazon Web Services