What’s the difference between Local and Physical attack vector in CVSS 3.1?

I’m reviewing CVSS 3.1 specification, recently.

I encounter the example below:

Sophos Login Screen Bypass Vulnerability (CVE-2014-2005)

Sophos Disk Encryption (SDE) 5.x in Sophos Enterprise Console (SEC)
5.x before 5.2.2 does not enforce intended authentication requirements for a resume action from sleep mode, which allows physically proximate
attackers to obtain desktop access by leveraging the absence of a
login screen.

For this vulnerability, the attack vector parameter is set to Physical, but based on CVSS 3.1 description and specification, it should be Local.


The vulnerable component is not bound to the network stack and the
attacker’s path is via read/write/execute capabilities. Either: the
attacker exploits the vulnerability by accessing the target system
locally (e.g., keyboard, console), or remotely (e.g., SSH); or the
attacker relies on User Interaction by another person to perform
actions required to exploit the vulnerability (e.g., using social
engineering techniques to trick a legitimate user into opening a
malicious document).


The attack requires the attacker to physically touch or manipulate the
vulnerable component. Physical interaction may be brief (e.g., evil
maid attack(^1)) or persistent. An example of such an attack is a cold
boot attack in which an attacker gains access to disk encryption keys
after physically accessing the target system. Other examples include
peripheral attacks via FireWire/USB Direct Memory Access (DMA).

Do have I any misunderstanding here??

am I wrong??