The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS.
http://marc.info/?l=bugtraq&m=109413637313484&w=2
http://securitytracker.com/id?1011143