Yes both of those reports were disputed.
Since the very first JBoss AS 7 release all admin access has required authentication out of the box in all our default configurations.
The reports that were raised were that an administrator can reconfigure the server to switch off authentication but this is an application server - we offer various configuration options so it is possible an administrator can both decrease or increase the security policies to meet their own environmental needs.
Thank you Darran for your response.
As an example, by default the http-interface is associated with the ManagementRealm in Wildfly 15.0.1
Just to confirm this, as long as http-interface or http-remoting-connector or http-connector etc are associated with a Security Realm (management or Application) in standalone-full.xml, we should not see this vulnerability. Is that correct?
+1 provided the management interface is associated with a security realm and that security realm contains a definition for authentication all access to that endpoint will require authentication.