When anonymous read access is allowed, the following URL is accessible:
"<JENKINS_URL>/_script" (please note the underscore!)

Fortunately, trying to execute a script with the "Run" button leads to a redirect to the login page.

In contrast, "<JENKINS_URL>/script" (without the underscore) is properly redirected to the login page by default.

This issue can be reproduced, by installing the latest weekly release or LTS release, enabling anonymous read access in the security settings and accessing the mentioned URLs.

1. Is there a legitimate reason to make the script console available under "<JENKINS_URL>/_script" (independent of the authentication issue)? Does something depend on that URL?
2. If both questions under 1. can be answered with "No", I'd recommend removing access to the URL completely. If the answers to 1. are "Yes", I'd recommend fixing the missing authentication (it should have the same behavior as "<JENKINS_URL>/script").