The vulnerability arises from improper neutralization of argument delimiters in the volume handling component of AWS EFS CSI Driver. This flaw allows a remote authenticated user who has permission to create a PersistentVolume to inject arbitrary mount options by manipulating a comma delimiter. Through this injection, the attacker can alter the mount options used when the EFS file system is mounted within a Kubernetes cluster. The impact of these altered options depends on the options supplied; based on typical mount option semantics, the attacker might potentially influence access control or performance characteristics. The precise consequences are not explicitly stated in the advisory, but it is inferred that the attacker could use the injected options to affect permissions or data visibility.

Affected products are the AWS EFS CSI Driver from Amazon, specifically all releases before version v3.0.1. Any Kubernetes cluster that uses these earlier driver versions is vulnerable unless the administrator applies the available patch.

The CVSS score for this issue is 6.9, indicating a moderate severity. The EPSS score is not provided, and the vulnerability is not listed in CISA KEV, suggesting it may not yet be actively exploited. The likely attack vector is remote authenticated access via PersistentVolume creation rights. The attack requires the attacker to possess PV creation privileges and therefore is limited to environments where access controls are misconfigured or overly permissive. If these conditions are met, the attacker could deploy pods that mount EFS volumes with malicious options.