In a command injection you trick a service into doing something for you that it would not normally do. Does that mean that command injections are examples of (exploiting) confused deputies? Does the reverse also hold?
More generally, are command injection and confused deputies two sides of the same coin or is their relation more complicated?
A confused deputy is a concern over what entity should be in control - which is an authorization and access control problem. This is a problem of trustworthiness, and verifying intent. Vulnerabilities like; server-side request forgery(SSRF), client-side request forgery(CSRF), and insecure direct object reference (IDOR) fall under this category.
Injection attacks are caused by the confusion between what is data and what is code. An injection is one type of vulnerability that can be used to undermine access control systems, in that a compromised server becomes a kind of confused deputy that is useful in pivoting and post-exploitation (attack chaining). But this isn't the only case, you could have a code injection vulnerability in a sandboxed environment - which isn't a trusted entity, but could still be used for abuse - like mining bitcoin.
Injection attacks are more or less Independent from confused deputies, but an injection could be used to take control over a trusted entity. There are many ways that an attacker can confuse a deputy.
