If you do not run a Deployment Server or use the Deployment Server functionality, the vulnerability is informational. You can disable the Deployment Server functionality temporarily without disabling the server. See CLI admin commands for more information.
The severity assumes the information contained within the forwarder bundle is highly confidential and sensitive such as certificates and passwords. Most app bundles do not meet that qualification. For most app bundles containing standard code and public apps, the severity is reduced to Medium. If you classify the forwarder bundle as public information, the severity is reduced to informational.
If the Deployment Server is within a VPC/VPN and only available within that adjacent boundary, Splunk recommends reducing the severity to Medium.