products / openjdk

OpenJDK

OpenJDK CVEs are published under cpe:2.3:a:oracle:openjdk. The Oracle CPE namespace can overlap with Oracle JDK-only advisories; if sentinel inflation appears, re-evaluate eligibility per the coverage plan.

api usage

Querying OpenJDK

product slugopenjdk

version format17.0.0, 21.0.5, semver

bash

curl "https://api.attestd.io/v1/check?product=openjdk&version=17.0.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

json

{
  "product": "openjdk",
  "version": "17.0.0",
  "supported": true,
  "risk_state": "high",
  "risk_factors": [
    "remote_code_execution",
    "patch_available",
    "internet_exposed_service"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "17.0.12",
  "confidence": 0.77,
  "cve_ids": ["CVE-2024-20952", "CVE-2024-20918"],
  "last_updated": "2026-05-13T18:00:00Z",
  "supply_chain": null
}

safe version

bash

curl "https://api.attestd.io/v1/check?product=openjdk&version=21.0.5" \
  -H "Authorization: Bearer $ATTESTD_KEY"

notable cves

CVE history

CVE	Description	CVSS
`CVE-2024-20952`	Oracle / OpenJDK security-libs vulnerability (illustrative Critical Patch Update advisory class).	7.4
`CVE-2024-20918`	Oracle / OpenJDK compiler-area vulnerability class.	7.4

All products Apache Tomcat Log4j Response Field Reference